Re: [RFC/PATCH v1] Add Travis CI support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dennis Kaarsemaker <dennis@xxxxxxxxxxxxxxx> writes:

> On zo, 2015-10-04 at 10:46 -0700, Junio C Hamano wrote:
>> One final question.  Which configuration file does the CI use when
>> running a PR-initiated test?  The one already in the repository
>> i.e. the target of the proposed pull, or the one that is possibly
>> updated by the PR?
>>
>> I am wondering if that can be an avenue for a possible mischief.
>
> The latter. And it can, as it can enable notifications.

OK, so an attacker can send emails (by faking one of the repository
owner's identity on a commit, and then submitting a pull-request for
this commit). But such attacker could already send emails via GitHub to
all repository watchers (not just owners) by sending pull-requests. Or
by using his mailer.

Other than that, Travis-CI uses a container-based infrastructure to
ensure clean and independent builds. So, an attacker could trigger a
build doing "rm -fr /" or whatever without impacting other builds.

-- 
Matthieu Moy
http://www-verimag.imag.fr/~moy/
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]