patchbot security

[Jonathan Kliem]

Hi,

I'm wondering what safety measures are taken for distributing code to the patchbot clients.

E.g. if I where to register a new github account and create a ticket that uploads all files from the user to a server of my choice (maybe via a malicous doctest), is that ticket still going to be distributed to patchbot clients?

I guess the underlying question is, what security measures are recommended before running a patchbot. On https://wiki.sagemath.org/patchbot I cannot find anything.

Jonathan

[Volker Braun]

The patchbot configuration has some options for trusting specific user accounts.

Having said that, you are correct in that it executes code submitted by strangers over the internet. At the very least make a separate user account for running the patchbot. You might want to add an additional container / vm layer.

[Jonathan Kliem]

Thanks, I have to see what I can do about it (I went through all the tickets I tested and it looks things are fine).

Am Samstag, 6. Juli 2019 14:50:51 UTC+2 schrieb Volker Braun:

The patchbot configuration has some options for trusting specific user accounts.

Having said that, you are correct in that it executes code submitted by strangers over the internet. At the very least make a separate user account for running the patchbot. You might want to add an additional container / vm layer.

 

Could you (or someone else) add this info to https://wiki.sagemath.org/patchbot.