njs at pobox.com
Mon Jun 15 15:30:34 EDT 2015
On Jun 15, 2015 9:03 AM, "Pauli Virtanen" <pav at iki.fi> wrote:
> 15.06.2015, 12:00, Nathaniel Smith kirjoitti:
> > http://homu.io/
> One thing to consider is the disadvantage from security POV: this gives
> full write access to the Numpy repository to that someone who is running
> the bot. I don't see information on who this person (or these persons)
> is and how access to the bot and the bot account is controlled.
> (Travis-CI doesn't have that AFAIK, it can only change the
> passed/not-passed icons.)
That's a fair point.
The person running the bot is Barosl Lee (@barosl), who is also the author
of the homu bot (https://github.com/barosl/homu) that the homu.io hosted
service is based on. The Mozilla rust and servo teams are using this code
to manage all their merges, e.g.:
though they are running a self hosted version, not using homu.io.
If we're uncomfortable with the hosted service then hosting it ourselves
wouldn't be hard -- I've actually had "set up a homu instance" as a todo
item for most of a year now (check out Graydon's last comment on the lj
past I linked to upthread, and who he's replying to ;-)). I literally sat
down to get this done last night, got half way through, and then discovered
that @barosl had finally announced their hosted service 18 hours earlier,
so I figured I'd be lazy and just use that instead :-).
Personally I'm not worried about the security issues -- I think the chances
that @barosl is malicious are basically zero, and while every account that
gets access to a repository increases the risk that someone might steal
their credentials and do something naughty with them, the additional risk
seems minimal to me. (Right now there are 16 accounts that have full admin
access to numpy/numpy; @homu is not one of them.)
But if people prefer I'm happy to self-host too.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NumPy-Discussion