On Sun, Apr 08, 2018 at 12:20:34PM +0200, db wrote:
On 7 Apr 2018, at 19:44, Clemens Lang <c...@macports.org> wrote:Remember that Portfiles can execute arbitrary code and root access is available from Portfiles. We do not want to run arbitrary code in a PR on the same build machines we use to build packages that we will distribute to our users. A malicous attacker could modify the machines in a way that packages built after that will be miscompiled.If you review the code before, that should never be the case and it would build just once if it succeeds, right? Or am I missing something how PRs are handled?
CI builds are automatically started when a PR is submitted or updated, and we usually review the code after the build completes. Unless CI builds are fast enough, manually triggering builds after code review would be a waste of manpower (we have to wait till the build completes). The CI system is useful because it can provide more information when we review the PRs. It would be less useful if we have to manually start the builds. -- Best regards, Zero King
Description: S/MIME cryptographic signature