On Sun, Apr 08, 2018 at 12:20:34PM +0200, db wrote:
On 7 Apr 2018, at 19:44, Clemens Lang <c...@macports.org> wrote:
Remember that Portfiles can execute arbitrary code and root access is
available from Portfiles. We do not want to run arbitrary code in a PR
on the same build machines we use to build packages that we will
distribute to our users. A malicous attacker could modify the machines
in a way that packages built after that will be miscompiled.

If you review the code before, that should never be the case and it would build 
just once if it succeeds, right? Or am I missing something how PRs are handled?

CI builds are automatically started when a PR is submitted or updated,
and we usually review the code after the build completes. Unless CI
builds are fast enough, manually triggering builds after code review
would be a waste of manpower (we have to wait till the build completes).
The CI system is useful because it can provide more information when we
review the PRs. It would be less useful if we have to manually start the

Best regards,
Zero King

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to