Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Malicious executable content in Gerrit contributions

On Wed, Dec 10, 2014 at 7:35 AM, Mike Milinkovich <mike.milinkovich@xxxxxxxxxxx> wrote:

Surely this is an issue that affects Gerrit as a whole? Have you also addressed this concern to their community mailing list? I would expect that other projects that use Gerrit (e.g. Android, OpenStack) would be even larger targets that Eclipse, and may have already arrived at an approach.

Android certainly has. Android runs each change in its own, brand new, network isolated virtual machine. The system is built on top of Google Compute Engine to spin-up and tear-down new VMs rapidly.

I don't know what OpenStack does.

Chromium OS has taken the approach of requiring a trusted committer to review the change and +1 it before it goes to the build farm.
On 10/12/2014 8:54 AM, Denis Roy wrote:
Well, the moment I've been dreading has finally come... malicious virus/malware is now in our Gerrit database.
_______________________________________________ mailing list

IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation.  To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.

Back to the top