pan3793 commented on PR #8412:
URL: https://github.com/apache/hadoop/pull/8412#issuecomment-4248733453

   @ajfabbri
   
   > So for building the container image, this is just a convenience to get a 
stable toolchain for doing the maven build. I feel like this should be a 
trusted action, that we don't run on fork PRs.
   
   I'm not sure it's a trusted action. Contributors can modify the Dockerfile, 
for example, they can write some evil instructions in the Dockerfile `RUN 
send-secrets-to-my-server`, the instructions will be evaluated during building 
the image.
   
   Let me explain my thoughts about the security models:
   
   assumption:
   
   - we should trust all committers who have write permission on the 
apache/hadoop repo
   - we should trust the code in the apache/hadoop repo, either committed by 
committers directly, or checked in from PR/patch
   - we treat the PR code (from the forked repo) as untrusted
   
   the current proposed workflow
   
   for PR
   - the `.github/workflows/build_and_test.yml` will be triggered on the 
contributor's forked repo, so it's fine to grant write permission (note, it's 
write permission of the forked repo, not apache/hadoop repo)
   - the images will only be pushed to the forked repo's registry
   - the `.github/workflows/notify_test_workflow.yml` runs on 
`pull_request_target`, but it only runs the predefined script (trusted code), 
so it won't be affected by contributors' changes
   
   for apache/hadoop
   
   - as listed in the assumption section, we should trust the code in the 
apache/hadoop repo


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to