Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit trail for CI #347

Closed
orangemocha opened this issue Mar 2, 2016 · 6 comments
Closed

Audit trail for CI #347

orangemocha opened this issue Mar 2, 2016 · 6 comments
Labels
ci-public

Comments

@orangemocha
Copy link

Based on discussion at the last Build WG meeting, we might want to implement an audit trail to record commits that are run through CI, so that we can actively or re-actively identify potential malicious actions.

Let us discuss here how we could implement that.
@orangemocha
Copy link
Author

Here's an idea... Jenkins already provides a (limited) job history, but the job parameters only include git references that can be deleted after the job is run. I am thinking we could push every change that gets submitted to a dedicated repo, with a tag name that includes:

  • The jenkins run id
  • The user id that started the Jenkins job.
  • Timestamp

Problems to solve:

  1. The audit repo would get big. Is there a way to push to it without having to fetch the whole thing each time?
  2. How to ensure this push is performed for any CI job, without doing it multiple times for the same change. Keep in mind that users can launch node-test-commit, node-test-commit-linux, or just any subjob.

@joaocgreis
Copy link
Member

Most of the changes will be just a tag to a commit that would be there otherwise, or with a very insignificant size after compressed. The problem here is binaries.

  1. Not a problem, git push works with a url without fetching. But it would be smarter to fetch master before, or it will have to upload everything.
  2. Without a better plan, we'd have to save on every job that has slaves (not the compile-only jobs, unless anyone can see a way of hijacking those). Most of them will be just a tag for the same object, so I don't see a problem there. The problem is the binaries, can we somehow restrict the binary-test jobs to be run only from the fanned counterpart?

@orangemocha
Copy link
Author

Restricting the binary jobs to be only invokeable from their intended parents sounds like the way to go.

I guess a good place to inject this would be in the rebase scripts. Do we still use the git-rebase job?

@joaocgreis
Copy link
Member

For both fanned jobs, yes.

@Trott
Copy link
Member

Trott commented May 23, 2018

Is this still an issue? Should it remain open?

@maclover7
Copy link
Contributor

Closing for now as something that would be nice to have, but seems to not currently be within our means. If someone wants to tackle this, please feel free to reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ci-public
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joaocgreis @Trott @orangemocha @maclover7