Add a white list of projects allowed to create benchmark jobs #43
Comments
|
As I said before - I'd only start doing this if this indeed becomes a problem :) And before that I beg more people for resources at elixirforum :D Wdyt @michalmuskala ? |
|
I think there are actually two factors we should take into consideration here:
I'm actually less worried about the former. It's true we're running the benchmarks in docker, but docker was not designed as a security sandbox, it's not perfect and there are ways (removed with each release) to escape to the host system. Because of that, I think, for now we should run with a whitelist of projects. |
|
and we already have the whitelist check... jobs are just created if the repository was added - manually - to the database. |
|
The security concern I think we can never really get rid off. Unless I'm missing something that's also sort of what all CI hosts etc. have to live with? :( |
As our runners are limited resources, we could have a white list of projects allowed to have their benchmarks running. This projects could be exported and read to a file or environment variables. By now we would have only Ecto.
The text was updated successfully, but these errors were encountered: