Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Beierl, Mark
Here is such an example from StorPerf [1]. When the docker image is built, I do a git clone of a specific version of FIO, one which contains a bug fix to metrics. This version is then compiled and used at runtime for executing disk IO. [1]

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Tapio Tallgren
On 12/19/2016 04:49 PM, Luke Hinds wrote: On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren > wrote: Luke, Since you are checking for binary files (point 2), will you also check all checkouts from version control systems

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Luke Hinds
On Mon, Dec 19, 2016 at 3:00 PM, Serg Melikyan wrote: > Hi Luke, > > there are several kind of projects in Open NFV space, and I am happy > that your proposal covers not only python projects. Having security > job templates which we can be re-used in gates with an

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Serg Melikyan
Hi Luke, there are several kind of projects in Open NFV space, and I am happy that your proposal covers not only python projects. Having security job templates which we can be re-used in gates with an extensive description of how to use them is very important and helpful. My only ask would be to

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Luke Hinds
On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren wrote: > Luke, > > Since you are checking for binary files (point 2), will you also check all > checkouts from version control systems (like git)? I would like all of > these to pull in explicit versions (as opposed to

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Luke Hinds
Yujun, I said gate, but I meant check (so every time a commit happens, not a workflow +1) Luke On Mon, Dec 19, 2016 at 1:28 PM, Luke Hinds wrote: > Hi Yujun, > > I would need Fatih to comment as I am not that up to speed on CI. The > following is an albeit incomplete

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Tapio Tallgren
Luke, Since you are checking for binary files (point 2), will you also check all checkouts from version control systems (like git)? I would like all of these to pull in explicit versions (as opposed to main), since otherwise you will have no idea what you are building. We also have a

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Luke Hinds
Hi Yujun, I would need Fatih to comment as I am not that up to speed on CI. The following is an albeit incomplete example of how we will wire this in: https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

2016-12-19 Thread Yujun Zhang
Luke, I remember that Fatih once mentioned that there are no gates in OPNFV CI yet. So you are talking about some additional verification jobs enforced on each commit. Or it is something like the current daily/weekly job. Could you help to clarify it? On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds