mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marco de Abreu <marco.g.ab...@googlemail.com>
Subject Introduction of restricted slaves and jobs
Date Fri, 25 May 2018 12:55:57 GMT
Hello MXNet community,

I'd like to announce the launch of restricted slaves and jobs for our CI
system.

The purpose of this feature is to allow separating slaves that execute
arbitrary code from verified code like on our version-branches and the
master. This step is necessary in order to increase the security of
produced artefacts.

Until now, the generation of user-facing artefacts like our website was run
on the same instances as unverified code from Pull Requests. This could
potentially have been abused to deploy a virus on our slaves (although they
are recycled very frequently through the auto scaling system) that alters
the artefact generation processes and attaches malicious code to it.

In order to mitigate this attack vector, we're introducing restricted
slaves and jobs. From now on, any user-facing output like nightly builds or
the website, will have to be generated on slaves that are only executing
code that has been verified by our committers by merging the changes into
one of our branches.

I'd like to invite everybody to review the documentation at
https://cwiki.apache.org/confluence/display/MXNET/Restricted+jobs+and+nodes.
Considering this is a security feature, I'd especially love to hear
critical input or any ideas that would allow to poke holes into my solution.

Best regards,
Marco

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message