Re: Jenkins ASF + Pull Requests + webhooks
disabled logs, workspace and artifacts for anonymous Jenkins users, but available for PMC and Maven committers. On Sun, Jan 6, 2019 at 8:41 PM Mickael Istria wrote: > On Sun, Jan 6, 2019 at 8:32 PM Tibor Digana > wrote: > > > I meant Bitcoins. Without network access bitcoins can be loaded but > nobody > > can use them. An access to Workspace and archived artifacts should be > > disabled for users. > > > That would be sad since those are actually super helpful when trying to > debug issues that are only happening in some environments and CI reproduces > when they can hardly reproduce them locally. >
Re: Jenkins ASF + Pull Requests + webhooks
On Sun, Jan 6, 2019 at 8:32 PM Tibor Digana wrote: > I meant Bitcoins. Without network access bitcoins can be loaded but nobody > can use them. An access to Workspace and archived artifacts should be > disabled for users. That would be sad since those are actually super helpful when trying to debug issues that are only happening in some environments and CI reproduces when they can hardly reproduce them locally.
Re: Jenkins ASF + Pull Requests + webhooks
@Stephen Connolly I meant Bitcoins. Without network access bitcoins can be loaded but nobody can use them. An access to Workspace and archived artifacts should be disabled for users. On Sun, Jan 6, 2019 at 5:51 PM Stephen Connolly < stephen.alan.conno...@gmail.com> wrote: > That is not the problem you think it is. Bitcoin mining is the current > issue. And through Jenkinsfile or Process.exec you can bypass JVM > permissions > > On Sun 6 Jan 2019 at 16:44, Tibor Digana wrote: > > > Regarding "pull/1234/head" refs and the security, I think allowing only > the > > permission to Maven Central IP address is needed and nowhere else. > > This can be accomplished by the java policy in JRE. > > WDYT? > > > > On Sun, Jan 6, 2019 at 11:09 AM Hervé BOUTEMY > > wrote: > > > > > I didn't know about these special "pull/1234/head" refs, that are not > > real > > > branches: if these pseudo-branches were synchronized to Gitbox like any > > > branch, the Gitpubsub mechanism could happen at Apache > > > of course, the security implications of running code from these PR > > > branches > > > would still have to be managed... > > > > > > notice: there is a discussion on this on builds@apache [1] > > > > > > Regards, > > > > > > Hervé > > > > > > [1] https://lists.apache.org/list.html?bui...@apache.org > > > > > > Le samedi 5 janvier 2019, 12:34:24 CET Enrico Olivelli a écrit : > > > > Hi Stephen, > > > > I am not a Jenkins expert, but I want to share this idea, maybe it > can > > > help. > > > > Can we use GitHub webhooks in order to trigger the creation of a Job > > > inside > > > > Maven-Box ? > > > > This way we don't have to continuously use Github API. > > > > When an user creates/updates a PR we can import the PR and create the > > > > Job, having as repository not gitbox.apache.org but github.com > > > > > > > > In github you have this special refs "pull/1234/head" which points to > > > > the branch on remote fork > > > > > > > > just an idea > > > > > > > > Enrico > > > > > > > > - > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > -- > Sent from my phone >
Re: Jenkins ASF + Pull Requests + webhooks
That is not the problem you think it is. Bitcoin mining is the current issue. And through Jenkinsfile or Process.exec you can bypass JVM permissions On Sun 6 Jan 2019 at 16:44, Tibor Digana wrote: > Regarding "pull/1234/head" refs and the security, I think allowing only the > permission to Maven Central IP address is needed and nowhere else. > This can be accomplished by the java policy in JRE. > WDYT? > > On Sun, Jan 6, 2019 at 11:09 AM Hervé BOUTEMY > wrote: > > > I didn't know about these special "pull/1234/head" refs, that are not > real > > branches: if these pseudo-branches were synchronized to Gitbox like any > > branch, the Gitpubsub mechanism could happen at Apache > > of course, the security implications of running code from these PR > > branches > > would still have to be managed... > > > > notice: there is a discussion on this on builds@apache [1] > > > > Regards, > > > > Hervé > > > > [1] https://lists.apache.org/list.html?bui...@apache.org > > > > Le samedi 5 janvier 2019, 12:34:24 CET Enrico Olivelli a écrit : > > > Hi Stephen, > > > I am not a Jenkins expert, but I want to share this idea, maybe it can > > help. > > > Can we use GitHub webhooks in order to trigger the creation of a Job > > inside > > > Maven-Box ? > > > This way we don't have to continuously use Github API. > > > When an user creates/updates a PR we can import the PR and create the > > > Job, having as repository not gitbox.apache.org but github.com > > > > > > In github you have this special refs "pull/1234/head" which points to > > > the branch on remote fork > > > > > > just an idea > > > > > > Enrico > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > -- Sent from my phone
Re: Jenkins ASF + Pull Requests + webhooks
Regarding "pull/1234/head" refs and the security, I think allowing only the permission to Maven Central IP address is needed and nowhere else. This can be accomplished by the java policy in JRE. WDYT? On Sun, Jan 6, 2019 at 11:09 AM Hervé BOUTEMY wrote: > I didn't know about these special "pull/1234/head" refs, that are not real > branches: if these pseudo-branches were synchronized to Gitbox like any > branch, the Gitpubsub mechanism could happen at Apache > of course, the security implications of running code from these PR > branches > would still have to be managed... > > notice: there is a discussion on this on builds@apache [1] > > Regards, > > Hervé > > [1] https://lists.apache.org/list.html?bui...@apache.org > > Le samedi 5 janvier 2019, 12:34:24 CET Enrico Olivelli a écrit : > > Hi Stephen, > > I am not a Jenkins expert, but I want to share this idea, maybe it can > help. > > Can we use GitHub webhooks in order to trigger the creation of a Job > inside > > Maven-Box ? > > This way we don't have to continuously use Github API. > > When an user creates/updates a PR we can import the PR and create the > > Job, having as repository not gitbox.apache.org but github.com > > > > In github you have this special refs "pull/1234/head" which points to > > the branch on remote fork > > > > just an idea > > > > Enrico > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: Jenkins ASF + Pull Requests + webhooks
I didn't know about these special "pull/1234/head" refs, that are not real branches: if these pseudo-branches were synchronized to Gitbox like any branch, the Gitpubsub mechanism could happen at Apache of course, the security implications of running code from these PR branches would still have to be managed... notice: there is a discussion on this on builds@apache [1] Regards, Hervé [1] https://lists.apache.org/list.html?bui...@apache.org Le samedi 5 janvier 2019, 12:34:24 CET Enrico Olivelli a écrit : > Hi Stephen, > I am not a Jenkins expert, but I want to share this idea, maybe it can help. > Can we use GitHub webhooks in order to trigger the creation of a Job inside > Maven-Box ? > This way we don't have to continuously use Github API. > When an user creates/updates a PR we can import the PR and create the > Job, having as repository not gitbox.apache.org but github.com > > In github you have this special refs "pull/1234/head" which points to > the branch on remote fork > > just an idea > > Enrico > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Jenkins ASF + Pull Requests + webhooks
Hi Stephen, I am not a Jenkins expert, but I want to share this idea, maybe it can help. Can we use GitHub webhooks in order to trigger the creation of a Job inside Maven-Box ? This way we don't have to continuously use Github API. When an user creates/updates a PR we can import the PR and create the Job, having as repository not gitbox.apache.org but github.com In github you have this special refs "pull/1234/head" which points to the branch on remote fork just an idea Enrico - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org