CI system for PR builds

Zero King l2dy at macports.org
Sun Apr 8 10:42:19 UTC 2018


On Sun, Apr 08, 2018 at 12:20:34PM +0200, db wrote:
>On 7 Apr 2018, at 19:44, Clemens Lang <cal at macports.org> wrote:
>> Remember that Portfiles can execute arbitrary code and root access is
>> available from Portfiles. We do not want to run arbitrary code in a PR
>> on the same build machines we use to build packages that we will
>> distribute to our users. A malicous attacker could modify the machines
>> in a way that packages built after that will be miscompiled.
>
>If you review the code before, that should never be the case and it would build just once if it succeeds, right? Or am I missing something how PRs are handled?

CI builds are automatically started when a PR is submitted or updated,
and we usually review the code after the build completes. Unless CI
builds are fast enough, manually triggering builds after code review
would be a waste of manpower (we have to wait till the build completes).
The CI system is useful because it can provide more information when we
review the PRs. It would be less useful if we have to manually start the
builds.

-- 
Best regards,
Zero King
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3612 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20180408/791d3ec9/attachment.bin>


More information about the macports-dev mailing list