[GSoC] Progress Report
l2dy at macports.org
Mon Jun 5 01:17:31 UTC 2017
On Sun, Jun 04, 2017 at 10:23:52PM +0200, Mojca Miklavec wrote:
>Dear Zero King,
>Thank you very much for the update.
>There's one thing I didn't fully understand:
>> "This design is aimed for traceability, we can find the exact GitHub user who submitted a malicious PR."
>I understand that you can neither trust the author's nor committer's
>email from the git commit history, but doesn't GitHub provide a
>reliable information about who submitted the pull request? Of course
>one can have a stolen identity (username/password or key), but I
>probably don't understand at which point you wanted to identify the
>user submitting a PR. Or did you want to identify user trying to chat
>with the bots?
All information CI bot have access to is public, so I'm worried that
someone would send PR bot data without submitting a PR at all.
>You asked about extraction of list of ports which is currently a combination of
>and list-subports in mpbb. I guess the first function could be
>implemented in mpbb instead. And maybe mpbb could get some more
>branching (if-else statements) depending on whether it runs for
>"production" (buildbot) or "testing" (Travis). Or maybe some
>functionality from mpbb could even move to the MacPorts core.
mpbb has a dependency on getopt, so it's not ideal for Travis since
there's a time limit for each build and I'd like to save more time for
actually testing ports.
Don't trust the From address.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3612 bytes
Desc: not available
More information about the macports-dev