|[eclipse.org-committers] Malicious executable content in Gerrit contributions|
Witness: https://git.eclipse.org/r/#/c/37910/ This shows the intention of the contributor: https://git.eclipse.org/r/#/c/37910/1/features/papyrus-tests-features/org.eclipse.papyrus.tests.build.feature/epl-v10.htmlIn this case, the bad contribution was picked up and built by Hudson... Many projects also run tests on these unknown contributions, which means Hudson not only builds the malicious code, but executes it too.
I am convinced that this practice, albeit convenient for projects, can ultimately lead to really bad things.
Discuss in this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375350The Hudson Gerrit plugin allows several trigger events... "Patchset Created" is probably not the best event to use. Right now I cannot see any other events, but having a first human verification that the contribution is not a Linux executable or shell script is definitely what I would recommend.
Back to the top