Hello MXNet community, I'd like to announce the launch of restricted slaves and jobs for our CI system.
The purpose of this feature is to allow separating slaves that execute arbitrary code from verified code like on our version-branches and the master. This step is necessary in order to increase the security of produced artefacts. Until now, the generation of user-facing artefacts like our website was run on the same instances as unverified code from Pull Requests. This could potentially have been abused to deploy a virus on our slaves (although they are recycled very frequently through the auto scaling system) that alters the artefact generation processes and attaches malicious code to it. In order to mitigate this attack vector, we're introducing restricted slaves and jobs. From now on, any user-facing output like nightly builds or the website, will have to be generated on slaves that are only executing code that has been verified by our committers by merging the changes into one of our branches. I'd like to invite everybody to review the documentation at https://cwiki.apache.org/confluence/display/MXNET/Restricted+jobs+and+nodes. Considering this is a security feature, I'd especially love to hear critical input or any ideas that would allow to poke holes into my solution. Best regards, Marco
