On Wed, Nov 15, 2017 at 10:00 AM, David Loeffler <d.a.loeff...@warwick.ac.uk> wrote: > I'd like to request opinions on whether we should get rid of the "Trusted > Authors" check in the Sage patchbot. > > At present, the patchbot won't test a ticket unless all of the names in the > Trac "Authors" field have had at least one ticket previously merged. > Presumably the intention of this is to prevent people uploading git branches > with malicious code that will hijack the patchbot servers. But the "Authors" > field is a free text field; there's nothing to stop anybody with a trac > account uploading a git branch with author set to "William Stein", or > "Mickey Mouse" for that matter. So this feature provides zero actual > security against attacks, and only serves to make life more difficult for > legitimate users -- and, worse still, it specifically targets new > contributors who we want at all costs to encourage. > > So I would advocate getting rid of the "Trust" feature -- or at least > adjusting it so it runs the ticket if any of the authors are trusted (rather > than all of them). What do others here think of this idea? > > (I spotted this while reviewing ticket 19169, where the authors are a group > of first-time Sage contributors from Sage Days 69 in 2015. The ticket has > been languishing in needs-review purgatory for most of the intervening 2 > years, and the fact that it didn't have a green light from the patchbot > probably contributed to that.)
+1 please consider opening an issue at https://github.com/sagemath/sage-patchbot I believe it's already possible to configure a patchbot to allow "untrusted" authors, but it's not the default. You're right that the "feature" makes no sense. The only way to run a patchbot anything remotely "securely" is to be running it on an isolated VM. A lot of the other defaults for the patchbot (such as not testing package updates) are similarly false security, as we discussed here a few days ago. Erik -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
