[Python-Dev] Get a running instance of the doc for a PR.
On 11/04, Serhiy Storchaka wrote:
>04.11.18 17:00, Julien Palard via Python-Dev ????:
>>Considering feedback from Ned, what about building this as an independent service? We don't really need to interface with python.org at all, we just need some hardware, a domain, some code to interface with github API and... to start it's probably enough? It would be a usefull POC.
>This will just move risks to this service.
>Ned mentioned potential abuse. We will host unchecked content.
>Malicious user can create a PR which replaces Python documentation
>with malicious content.
The content will be generated by the build/html directory from Travis.
If Travis is green we upload the doc, if Travis is red, we do not
publish it. If there is an abuse, we close/drop the PR, maybe Bedevere
can receive this notification via the webhooks and notify the server to
remove the doc.
>The Doc/ directory includes Python scripts and Makefile which are used
>for building documentation. Malicious user can use this for executing
>arbitrary code on our server.
Currently, we use Travis. The malicious code will be execute in the
container of Travis, not on the server. We only copy the static files
and if we use nginx/apache, we don't execute the .py files. Just serve
the .html,.css,.js files
>Python-Dev mailing list
>Python-Dev at python.org
St?phane Wirtel - https://wirtel.be - @matrixise