mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Naveen Swamy <mnnav...@gmail.com>
Subject Re: Introduction of restricted slaves and jobs
Date Sat, 26 May 2018 07:35:32 GMT
very nice!.

On Fri, May 25, 2018 at 6:31 AM, Aaron Markham <aaron.s.markham@gmail.com>
wrote:

> Thanks Marco, this is a welcome improvement.
>
>
> On Fri, May 25, 2018, 05:56 Marco de Abreu <marco.g.abreu@googlemail.com>
> wrote:
>
> > Hello MXNet community,
> >
> > I'd like to announce the launch of restricted slaves and jobs for our CI
> > system.
> >
> > The purpose of this feature is to allow separating slaves that execute
> > arbitrary code from verified code like on our version-branches and the
> > master. This step is necessary in order to increase the security of
> > produced artefacts.
> >
> > Until now, the generation of user-facing artefacts like our website was
> run
> > on the same instances as unverified code from Pull Requests. This could
> > potentially have been abused to deploy a virus on our slaves (although
> they
> > are recycled very frequently through the auto scaling system) that alters
> > the artefact generation processes and attaches malicious code to it.
> >
> > In order to mitigate this attack vector, we're introducing restricted
> > slaves and jobs. From now on, any user-facing output like nightly builds
> or
> > the website, will have to be generated on slaves that are only executing
> > code that has been verified by our committers by merging the changes into
> > one of our branches.
> >
> > I'd like to invite everybody to review the documentation at
> > https://cwiki.apache.org/confluence/display/MXNET/
> Restricted+jobs+and+nodes
> > .
> > Considering this is a security feature, I'd especially love to hear
> > critical input or any ideas that would allow to poke holes into my
> > solution.
> >
> > Best regards,
> > Marco
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message