[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-committers] Malicious executable content in Gerrit contributions

On Wed, Dec 10, 2014 at 10:44 AM, Shawn Pearce <sop@xxxxxxxxxx> wrote:
On Wed, Dec 10, 2014 at 7:35 AM, Mike Milinkovich <mike.milinkovich@xxxxxxxxxxx> wrote:
Denis,

Surely this is an issue that affects Gerrit as a whole? Have you also addressed this concern to their community mailing list? I would expect that other projects that use Gerrit (e.g. Android, OpenStack) would be even larger targets that Eclipse, and may have already arrived at an approach.

Android certainly has. Android runs each change in its own, brand new, network isolated virtual machine. The system is built on top of Google Compute Engine to spin-up and tear-down new VMs rapidly.

I don't know what OpenStack does.

OpenStack does the same, they have a Jenkins master that spins up several dynamic slave VMs to build in parallel. These machines go away once the build completes. They use Gerrit > Zuul > Gearman > [multiple Jenkins masters] > VM Slaves.

At the Linux Foundation we are moving to a similar build infrastructure as OpenStack.

Regards,

Thanh