[Numpy-discussion] Buildbot for numpy
barrywark at gmail.com
Mon Jul 9 15:39:05 EDT 2007
Thanks for the info! I will run it by folks here and see what we can
fiure out. We're using numpy and scipy very heavily in our internal
software, so we have an interest in making sure it works on our
platform. Hopefully we (here) can agree on a strategy that will
satisfy me and the IT people. I'll get back to you ASAP.
On 7/8/07, Albert Strasheim <fullung at gmail.com> wrote:
> On Mon, 02 Jul 2007, Barry Wark wrote:
> > I have the potential to add OS X Server Intel (64-bit) and OS X Intel
> > (32-bit) to the list, if I can convince my boss that the security risk
> Sounds good. We could definitely use these platforms.
> > (including DOS from compile times) is minimal. I've compiled both
> Currently we don't allow builds to be forced from the web page, but this
> might change in future.
> > numpy and scipy many times, so I'm not worried about resources for a
> > single compile/test, but can any of the regular developers tell me
> > about how many commits there are per day that will trigger a
> > compile/test?
> We currently only build NumPy. SciPy should probably be added at some
> point, once we figure out how we want to configure the Buildbot to do
> this. NumPy averages close to 0 commits per day at this point. SciPy is
> more active. Between the two, on a busy day, you could expect more than
> 10 and less than 100 builds.
> > About the more general security risk of running a buildbot slave, from
> > my reading of the buildbot manual (not the source, yet), it looks like
> > the slave is a Twisted server that runs as a normal user process. Is
> > there any sort of sandboxing built into the buildbot slave or is that
> > the responsibility of the OS (an issue I'll have to discuss with our
> > IT)?
> Through the buildbot master configuration, we tell your buildslave what
> to check out and which commands to execute. We have set it up to do the
> build in terms of a Makefile, so the master will tell the slave to run
> "make build" followed by "make test". Here you can make your own
> machine do anything that hopefully involves running python setup.py,
> etc. However, the configuration on the master can be changed to make
> your slave execute any command.
> In short, any NumPy/SciPy committer or anyone who controls the build
> master configuration (i.e., me, Stefan, our admin person, a few other
> people who have root access on that machine and anybody who
> successfully breaks into it) can make your build machine execute
> arbitrary code as the build slave user.
> The chance of this happening is small, but it's not impossible, so if
> this risk is unacceptable to you/your IT people, running a build slave
> might not be for you. ;-)
> Numpy-discussion mailing list
> Numpy-discussion at scipy.org
More information about the NumPy-Discussion