very nice!. On Fri, May 25, 2018 at 6:31 AM, Aaron Markham <[email protected]> wrote:
> Thanks Marco, this is a welcome improvement. > > > On Fri, May 25, 2018, 05:56 Marco de Abreu <[email protected]> > wrote: > > > Hello MXNet community, > > > > I'd like to announce the launch of restricted slaves and jobs for our CI > > system. > > > > The purpose of this feature is to allow separating slaves that execute > > arbitrary code from verified code like on our version-branches and the > > master. This step is necessary in order to increase the security of > > produced artefacts. > > > > Until now, the generation of user-facing artefacts like our website was > run > > on the same instances as unverified code from Pull Requests. This could > > potentially have been abused to deploy a virus on our slaves (although > they > > are recycled very frequently through the auto scaling system) that alters > > the artefact generation processes and attaches malicious code to it. > > > > In order to mitigate this attack vector, we're introducing restricted > > slaves and jobs. From now on, any user-facing output like nightly builds > or > > the website, will have to be generated on slaves that are only executing > > code that has been verified by our committers by merging the changes into > > one of our branches. > > > > I'd like to invite everybody to review the documentation at > > https://cwiki.apache.org/confluence/display/MXNET/ > Restricted+jobs+and+nodes > > . > > Considering this is a security feature, I'd especially love to hear > > critical input or any ideas that would allow to poke holes into my > > solution. > > > > Best regards, > > Marco > > >
