[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [eclipse.org-committers] Malicious executable content in Gerrit contributions
|
Executable checks alone won't help – it is just as possible for a junit test to do something naughty.
Alex
Sent from my iPhat 6
> On 10 Dec 2014, at 14:08, LETAVERNIER Camille <Camille.LETAVERNIER@xxxxxx> wrote:
>
> Hi Denis,
>
> Maybe having a white-list of usual contributors (Allowed to have an auto-trigger) would help. For others, only manual-trigger (From a Committer) would be allowed.
>
> Camille
>
> -----Message d'origine-----
> De : eclipse.org-committers-bounces@xxxxxxxxxxx [mailto:eclipse.org-committers-bounces@xxxxxxxxxxx] De la part de Denis Roy
> Envoyé : mercredi 10 décembre 2014 14:54
> À : eclipse.org-committers@xxxxxxxxxxx
> Objet : [eclipse.org-committers] Malicious executable content in Gerrit contributions
>
> Well, the moment I've been dreading has finally come... malicious virus/malware is now in our Gerrit database.
>
> Witness: https://git.eclipse.org/r/#/c/37910/
>
> This shows the intention of the contributor:
>
> https://git.eclipse.org/r/#/c/37910/1/features/papyrus-tests-features/org.eclipse.papyrus.tests.build.feature/epl-v10.html
>
>
> In this case, the bad contribution was picked up and built by Hudson...
> Many projects also run tests on these unknown contributions, which means Hudson not only builds the malicious code, but executes it too.
>
> I am convinced that this practice, albeit convenient for projects, can ultimately lead to really bad things.
>
> Discuss in this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375350
>
> The Hudson Gerrit plugin allows several trigger events... "Patchset Created" is probably not the best event to use. Right now I cannot see any other events, but having a first human verification that the contribution is not a Linux executable or shell script is definitely what I would recommend.
>
> Denis
> _______________________________________________
> eclipse.org-committers mailing list
> eclipse.org-committers@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>
> IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation. To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.
> _______________________________________________
> eclipse.org-committers mailing list
> eclipse.org-committers@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>
> IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation. To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.