On Wed, Feb 15, 2012 at 10:59 AM, William Stein <[email protected]> wrote: > On Wed, Feb 15, 2012 at 10:31 AM, kcrisman <[email protected]> wrote: >>> > expected behavior. >>> >>> It does always timeout. The regular doctests take 1300 seconds for >>> sandpile.py! I need to figure out what's going on there. >>> >>> > I think at this point manual intervention is required. Or was there >>> > something else you were thinking it should do (because clearly you >>> > were surprised, which isn't the intent). >>> >>> Well, I wasn't *too* surprised. I guess I was hoping for everything to >>> work perfectly with no intervention. But it does seem to be working now, >>> with a longer timeout. >>> >> >> Some followup (#10702 notwithstanding): >> >> So I tried out the patchbot. Seemed to work reasonably well at >> first. >> >> Then I came into my office this morning. Computer was humming at a >> VERY decent clip; I could not get the screen to appear, Ctrl-C did >> nothing, nothing nothing nothing, but clearly very busy (testing, >> perhaps). I had to restart it manually. > > Yikes! > > I'm still worried -- what if some jerk posts a patch to trac that contains > > sage: os.system('rm -rf /') > Got you! > > I think a patch like the above is a very real possibility. All that > would have to happen would be for one of the 500 trac accounts (which > sometimes have very dumb passwords) to be compromised, or for somebody > to get a trac account, and boom -- some users running a patchbot loose > everything. That's not a pretty thought.
Hence my previous comment: "Precaution should be taken as you're building and running arbitrary code (by default from people with a trac account and a previously accepted patch, though you can customize this as well)." I should have been stronger. For most of its life, the patchbot executed code from a whitelist of authors, which is a good place to start (but requires a fair amount of manual maintenance). Unfortunately, this doesn't cover the issue of account compromise. Ideally we would sign patches and then we could check the signatures. Something like code.google.com or github would provide stronger authentication guarantees than our own trac server. And of course running things in a jail/vm/separate account is worthwhile. > We could at least check that $HOME appears to be nearly empty, when > the patchbot starts up, suggesting that this isn't the user's normal > account. Or we could require that the username contain some string > like "sage", again forcing the user to at least make a special account > for the patchbot. That's not a bad idea. I think we should have a strong VM to test everything, and individuals can test more "trusted" patches with their own thresholds of security. - Robert -- To post to this group, send an email to [email protected] To unsubscribe from this group, send an email to [email protected] For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
