On Tue, Jun 02, 2026 at 08:13:59AM -0500, Romain Beauxis via ffmpeg-devel wrote: > Le mar. 2 juin 2026 à 03:29, Timo Rothenpieler via ffmpeg-devel > <[email protected]> a écrit : > > > > On 01.06.2026 19:24, Jean-Baptiste Kempf via ffmpeg-devel wrote: > > > This is particularly dangerous. > > > This makes the CI prone to injection to files from random people. > > > > Nothing stops people from doing the exact same thing right now anyway, > > by simply adding a new CI step that wgets whatever sample they like. > > So I don't see what's dangerous about it. It changes nothing. > > > > I also don't see what's dangerous about it in general. > > Worst someone can do is make CI fake-green, but if they wanted that, > > they could just modify the workflow directly and make it return > > always-green. > > The entire CI lives inside of the repo and runs from inside of the PR > > after all. > > Any user allowed to run the CI workflow is allowed to execute any > arbitrary code so, after thinking about it I agree with Timo on that.
yes, i didnt reply before but i had this exact same feeling fate in CI already gives the PR-Author full arbitrary code exec in the conteiner/vm thats also why its important that this container/vm is on a seperate dedicated physical machiene or cloud Also in case its not obvious forgejo fairy also bascially gives code exec in its container. (which is using openais containers ATM so not our problem but these will move to our own containers when i have time as we can give it much more powerfull capabilities that way) future plan is that fairy should be able to help people bisect reproduceable issues and such stuff. This ATM isnt possible because the openai container is too weak thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
