Hi Paul,
On 17/01/12 12:31, Paul Sokolovsky wrote:
Hello Guilherme,
Here's the matter about "WI" we have from the team meeting. I posted about that matter previously but here's quick recap: we wanted to start using the copy-to-slave on android-build, and I found that it has security hole, essentially it allows a user w/o admin permissions to get access to admin info, which can be as serious as to allow to steal EC2 machine time.
What I did is notified the plugin maintainer, and also quickly whipped a "short-circuit" type workaround - I just removed the offending option altogether. In maintainer's place, I wouldn't accept that patch as is - obviously, is some configurations there's no real security risk with that option, and some people have it in use. Proper solution would take adding UI configuration page, but I don't know Jenkisn well enough to do that (and before going for that, there're 2-3 Jenkins hacking related tasks waiting in queue for months). Last step in this so far is that maintainer did some changes (again, I doubt they're based on my patch much) and asked for review, in my TODO.
We didn't really exchange email, all communication is as the comments to the plugin page:
https://wiki.jenkins-ci.org/display/JENKINS/Copy+To+Slave+Plugin?focusedComm...
There's also a bug: https://issues.jenkins-ci.org/browse/JENKINS-12281
My changes are in the form of fork repo: https://github.com/pfalcon/copy-to-slave-plugin
So, based on all this, I wouldn't think there's something to patch-track: it's not that much of upstream contribution, more of upstream bugreport + local workaround. But if you think we could track anything out of this, I'd appreciate a hint how to start with that.
Right, it probably doesn't make sense to teach patches.l.o how to suck patches submitted by Linaro engineers from issues.jenkins-ci.org as we don't expect to see many contributions from Linaro there. If that changes in the future, we can certainly work something out, like we did for gerrit.
The way you described it sounds like the patch you submitted isn't even going to be merged upstream, but if you have others that you expect to be, you can just email a copy of them to patches@l.o, as described at
https://wiki.linaro.org/Process/UpstreamPatches
In that case you'll also want to ask for the creation of a new project on patches.l.o (instructions also on the page above)