I will try to set up libvirt. I can keep the PR comment from admin as a backup option.
Rajdeep On Thu, Mar 28, 2019 at 5:37 PM Pierre Tardy <tar...@gmail.com> wrote: > You can take control of the VM by downloading a ransomware or botnet or > whatever. > > You usually counter that by making sure the PR VMs are restricted in term > of network access they can do, and also restricted in the number of time it > is alive (basically just the time of the build) > > Another much more simple option is to trigger the PR testing via a PR > comment from an admin. > > If a macPort maintainer sends a message like "Go Buildbot", then buildbot > would catche that a start a build, provided that the PR got basic review, > and is not suspicious. > > > Pierre > > > Le jeu. 28 mars 2019 à 13:03, Rajdeep Bharati <rajdeepbharat...@gmail.com> > a écrit : > >> All right. Could you please give an example of a malicious PR? Would it >> be one which is done (locally tested) from an old version of macOS? >> >> On Wed, Mar 27, 2019 at 9:55 PM Mojca Miklavec <mo...@macports.org> >> wrote: >> >>> Dear Rajdeep, >>> >>> It's not just a question of how to fetch a PR. That shouldn't be too >>> difficult, I hope (and probably the link you provided works as intended). >>> >>> The tricky question is how to prevent malicious PRs from doing damage on >>> the builders. I assume that a proper solution would require starting a >>> fresh VM for each build. There is some support in the buildbot already: >>> >>> http://docs.buildbot.net/2.1.0/manual/configuration/workers-libvirt.html >>> https://github.com/kholia/OSX-KVM >>> but we would need to find a way to create VMs with macOS, so it might >>> not be trivial to do it. On top of that what we would really need the PRs >>> for are the old machines (say, 10.6, or even 10.4 if we would want to go to >>> extremes) where it might be even less trivial to automate this in a nice >>> way. >>> >>> (A compromise solution would be to only allow trusted developers to test >>> pull requests on devoted builders, where we would also need to make sure to >>> uninstall the software after the PR is done building.) >>> >>> While implementing this remains almost the number one requested thing >>> when people contribute to packages, I'm not sure how much time doing this >>> would take. It could be that this could be done in a day or a few days, but >>> it's also possible that there would be some stumbling block that would >>> require more hacking skills and would prevent us from proceeding, and not >>> even two months would suffice. In one way, I wouldn't mind if a student >>> would work on this for the full summer to get this working; on the other >>> hand, if there's a block and none of us is skilled enough to overcome it, >>> it makes more sense to proceed with other stuff that can certainly be done. >>> >>> Mojca >>> >>> >>> On Wed, 27 Mar 2019 at 16:05, Rajdeep Bharati < >>> rajdeepbharat...@gmail.com> wrote: >>> >>>> I could use the GitHubPullrequestPoller >>>> <http://docs.buildbot.net/current/manual/configuration/changesources.html#chsrc-GitHubPullrequestPoller> >>>> which >>>> periodically polls the Github API for new/updated PRs. >>>> >>>> Here is an example: >>>> https://github.com/halide/build_bot/blob/master/master/master.cfg >>>> >>>> c['change_source'].append(GitHubPullrequestPoller( >>>> owner = 'halide', >>>> repo = 'Halide', >>>> token = token, >>>> pullrequest_filter = pr_filter, >>>> pollInterval = 60*5, # Check Halide PRs every five minutes >>>> pollAtLaunch = True)) >>>> Rajdeep >>>> >>>> On Wed, Mar 27, 2019 at 3:59 AM Mojca Miklavec <mo...@macports.org> >>>> wrote: >>>> >>>>> Dear Rajdeep, >>>>> >>>>> On Tue, 26 Mar 2019 at 19:51, Rajdeep Bharati wrote: >>>>> > >>>>> > I have submitted a draft proposal: >>>>> https://docs.google.com/document/d/12wRjA8sOWNOuApHZ_fm0n1aIPLVPt9Xm2yGiMwiK3AI/edit. >>>>> Could you please provide some feedback? >>>>> >>>>> Cool, thank you very much, it looks nice, please give us a bit of time. >>>>> >>>>> One question: what precisely is your plan for setting up disposable >>>>> builds for PRs? >>>>> >>>>> Mojca >>>>> >>>>