mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Markham <aaron.s.mark...@gmail.com>
Subject Re: Introduction of restricted slaves and jobs
Date Fri, 25 May 2018 13:31:41 GMT
Thanks Marco, this is a welcome improvement.


On Fri, May 25, 2018, 05:56 Marco de Abreu <marco.g.abreu@googlemail.com>
wrote:

> Hello MXNet community,
>
> I'd like to announce the launch of restricted slaves and jobs for our CI
> system.
>
> The purpose of this feature is to allow separating slaves that execute
> arbitrary code from verified code like on our version-branches and the
> master. This step is necessary in order to increase the security of
> produced artefacts.
>
> Until now, the generation of user-facing artefacts like our website was run
> on the same instances as unverified code from Pull Requests. This could
> potentially have been abused to deploy a virus on our slaves (although they
> are recycled very frequently through the auto scaling system) that alters
> the artefact generation processes and attaches malicious code to it.
>
> In order to mitigate this attack vector, we're introducing restricted
> slaves and jobs. From now on, any user-facing output like nightly builds or
> the website, will have to be generated on slaves that are only executing
> code that has been verified by our committers by merging the changes into
> one of our branches.
>
> I'd like to invite everybody to review the documentation at
> https://cwiki.apache.org/confluence/display/MXNET/Restricted+jobs+and+nodes
> .
> Considering this is a security feature, I'd especially love to hear
> critical input or any ideas that would allow to poke holes into my
> solution.
>
> Best regards,
> Marco
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message