Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 456282

Summary: Disable signing in RAP Gerrit verification jobs on RAP HIPP Hudson
Product: [RT] RAP Reporter: Markus Knauer <mknauer>
Component: RelengAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3    
Version: 2.3   
Target Milestone: 3.0 M5   
Hardware: PC   
OS: Linux   
URL: https://hudson.eclipse.org/rap/
Whiteboard:

Description Markus Knauer CLA 2014-12-29 10:50:28 EST 
Bug 375350 discusses the 'Potential for security issues invoking builds from Gerrit'.

We are running several jobs on our Hudson instance (HIPP at https://hudson.eclipse.org/rap/).

Our Gerrit verification jobs are triggered by Gerrit changes and run on untrusted commits that may contain malicious code. I cannot stand that these builds are signed, and I propose to disable signing in all Gerrit verification jobs:

https://hudson.eclipse.org/rap/job/rap-head-runtime-gerrit/
https://hudson.eclipse.org/rap/job/rap-head-tools-gerrit/
Comment 1 Markus Knauer CLA 2014-12-29 11:11:24 EST 
* rap-head-runtime-gerrit: It wasn't configured for signing up to now; no change required.
* rap-head-tools-gerrit: Signing is now disabled from build #75 on.

I added a short sentence about the signing-status to the description of the jobs.