Hi,
if you update the patchbot server to not send the list of trusted authors
anymore, please first provide an adapted version of the client (and imho,
continue to serve the file until all active clients get up-to-date) !
I got:
[2017-11-23 15:35:10] Getting trusted author list...
[2017-11-23 15:35:10] retry 9; HTTP Error 404: NOT FOUND
[2017-11-23 15:35:41] retry 8; HTTP Error 404: NOT FOUND
[2017-11-23 15:36:11] retry 7; HTTP Error 404: NOT FOUND
[2017-11-23 15:36:41] retry 6; HTTP Error 404: NOT FOUND
[2017-11-23 15:37:11] retry 5; HTTP Error 404: NOT FOUND
[2017-11-23 15:37:41] retry 4; HTTP Error 404: NOT FOUND
[2017-11-23 15:38:11] retry 3; HTTP Error 404: NOT FOUND
[2017-11-23 15:38:41] retry 2; HTTP Error 404: NOT FOUND
[2017-11-23 15:39:12] retry 1; HTTP Error 404: NOT FOUND
[2017-11-23 15:39:42] retry 0; HTTP Error 404: NOT FOUND
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 1614, in <module>
main(args)
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 1515, in main
patchbot = Patchbot(options)
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 437, in __init__
self.reload_config()
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 717, in reload_config
self.config["trusted_authors"] = self.default_trusted_authors()
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 587, in default_trusted_authors
trusted = list(self.load_json_from_server("trusted", retry=10))
File
"/home/sagemath/.local/lib/python2.7/site-packages/sage_patchbot/patchbot.py",
line 562, in load_json_from_server
full_str = urlopen(ad, timeout=10).read().decode('utf8')
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 435, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 473, in error
return self._call_chain(*args)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 556, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 404: NOT FOUND
Ciao,
Thierry
On Sat, Nov 18, 2017 at 08:46:07PM +0100, Vincent Delecroix wrote:
> On 16/11/2017 11:32, Erik Bray wrote:
> >On Wed, Nov 15, 2017 at 10:00 AM, David Loeffler
> ><[email protected]> wrote:
> >>I'd like to request opinions on whether we should get rid of the "Trusted
> >>Authors" check in the Sage patchbot.
> >>
> >>At present, the patchbot won't test a ticket unless all of the names in the
> >>Trac "Authors" field have had at least one ticket previously merged.
> >>Presumably the intention of this is to prevent people uploading git branches
> >>with malicious code that will hijack the patchbot servers. But the "Authors"
> >>field is a free text field; there's nothing to stop anybody with a trac
> >>account uploading a git branch with author set to "William Stein", or
> >>"Mickey Mouse" for that matter. So this feature provides zero actual
> >>security against attacks, and only serves to make life more difficult for
> >>legitimate users -- and, worse still, it specifically targets new
> >>contributors who we want at all costs to encourage.
> >>
> >>So I would advocate getting rid of the "Trust" feature -- or at least
> >>adjusting it so it runs the ticket if any of the authors are trusted (rather
> >>than all of them). What do others here think of this idea?
> >>
> >>(I spotted this while reviewing ticket 19169, where the authors are a group
> >>of first-time Sage contributors from Sage Days 69 in 2015. The ticket has
> >>been languishing in needs-review purgatory for most of the intervening 2
> >>years, and the fact that it didn't have a green light from the patchbot
> >>probably contributed to that.)
> >
> >+1 please consider opening an issue at
> >https://github.com/sagemath/sage-patchbot
>
> Indeed.
>
> >I believe it's already possible to configure a patchbot to allow
> >"untrusted" authors, but it's not the default. You're right that the
> >"feature" makes no sense.
>
> Not exactly. You can have a custom "white list".
>
> >The only way to run a patchbot anything remotely "securely" is to be
> >running it on an isolated VM. A lot of the other defaults for the
> >patchbot (such as not testing package updates) are similarly false
> >security, as we discussed here a few days ago.
>
> The real problem is that the patchbot would have to find the tarball! We do
> not have a canonical place for them.
>
> --
> You received this message because you are subscribed to the Google Groups
> "sage-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/sage-devel.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
