- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Thu, 11 Apr 2013 16:10:51 +0200
- To: James Graham <jgraham@opera.com>
- Cc: public-webapps-testsuite@w3.org, public-test-infra@w3.org
Le jeudi 11 avril 2013 à 10:20 +0200, James Graham a écrit : > > I don't think a manual approach is going to scale. I'm also not sure how the > > github API is related to security; all the github API is needed for is to get > > notifications about when there are new pull requests or when the repo is > > updated. If the security concern is just PHP files mod_pup should be disabled > > for the submission/ directory (or, for a more advanced solution, it should be > > disabled for files that have been changed on the pull request branch). > > So, I hacked together the beginnings of a script to do the syncing [1]. It > is mostly untested; I had the initial import working, but haven't tried > the synchronisation code at all. Obviously it's rather rough, but I think > the approach is basically right. Additionally, on its own it won't provide > any security at all. You need to disable PHP in the apache config for the > submissions/ directory or something similar. As discussed on IRC: * your python script seems a much better starting point than mine, in particular in terms of how it manage clones (and thus save disk space) * ideally, it would have a triggered mode (based on github events) and a pull mode (for regular poll for things that github doesn't signal as events) * if we could only clone pull requests that have been labeled via their corresponding issues as mirror-worthy, it would alleviate my security concerns I'll see if I can look into this in the coming days (unless of course someone else beats me to it :); given the existing checkouts, I don't think there is a particular urgency though. Dom > [1] https://gist.github.com/jgraham/e17edaeae1f467837f47
Received on Thursday, 11 April 2013 14:11:22 UTC