On Fri, May 31, 2019, at 12:11 AM, Antoine Pitrou wrote:
>
> Le 30/05/2019 à 22:39, Uwe L. Korn a écrit :
> > Hello all,
> >
> > Krisztián has been lately working on getting Buildbot running for Arrow.
> > While I have not yet had the time to look at it in detail what would hinder
> > us using it as the main Linux builder and ditching Travis except for OSX?
> >
> > Otherwise I have lately made really good experiences with Gitlab CI
> > connected to Github projects. While they only offer a comparatively small
> > amount of CI time per month per project (2000 minutes is quite small in the
> > Arrow case), I enjoyed that you can connect your own builders to their
> > hosted gitlab.com instance. This would enable us to easily add funded
> > workers to the project as well as utilise special hardware that we would
> > not otherwise get in public CI instances. The CI runners ("workers") are
> > really simple to setup (It took me on Windows and on Linux less than 5min
> > each) and the logs show up in the hosted UI.
>
> Are there any security issues with running self-hosted workers?
> Another question is whether Gitlab CI is allowed on Github repos owned
> by the Apache Foundation (Azure Pipelines still isn't).
The security implications are the same with any self-hosted, docker based CI:
There are certain chances people can escape the docker sandbox and do nasty
things on the host. Thus we shouldn't store any additional credentials on the
host except what is needed to connect to the gitlab master.
I'm not sure about the requirements from Gitlab for the integration. They
provide a hook for the CI status and a full-blown sync integration. The latter
really wants all-access which the ASF INFRA won't grant for the former we may
not even need INFRA but I have to look deeper into that.
Uwe
