Opened at 2013-09-01T01:05:06Z
Closed at 2014-09-09T18:27:12Z
#2072 closed defect (fixed)
enable Travis-CI for the main Tahoe-LAFS repo
Reported by: | daira | Owned by: | warner |
---|---|---|---|
Priority: | normal | Milestone: | soon (release n/a) |
Component: | dev-infrastructure | Version: | 1.10.0 |
Keywords: | security travis github | Cc: | |
Launchpad Bug: |
Description
Travis-CI is a virtual-machine-based continuous integration system, which does various neat things like annotating pull requests with the results of testing a build.
I've added a single-purpose travis-tahoe github user to confirm that this works with Tahoe-LAFS. Here are the successful results for that user's fork of the tahoe-lafs repo: https://travis-ci.org/travis-tahoe/tahoe-lafs
Unfortunately Travis requires a github user with admin rights over the repo it is reporting on. We need to decide whether to grant those rights for the main tahoe-lafs/tahoe-lafs repo.
(The Tahoe-LAFS commit to add the configuration file for Travis build testing is on master already. By itself it has no security consequences.)
Change History (23)
comment:1 Changed at 2013-09-01T01:06:50Z by daira
- Keywords brians-opinion-needed added
comment:2 Changed at 2013-09-01T02:38:35Z by daira
comment:3 Changed at 2013-09-01T15:20:56Z by zooko
I posted a request to the travis-ci twitter account:
comment:4 Changed at 2013-09-01T16:03:57Z by daira
The corresponding Travis issue is https://github.com/travis-ci/travis-ci/issues/1390.
comment:5 Changed at 2013-09-01T16:14:33Z by daira
I asked on the Travis ticket:
As a workaround, would it work to enable Travis and then afterward revoke the github user's admin permission (leaving it with read permissions, and not revoking the OAuth grant)?
roidrage answered:
You can certainly try that combination. Whether it will work in all scenarios, we can't guarantee.
I think we should try this.
comment:6 Changed at 2013-09-01T16:45:33Z by daira
- Owner set to warner
Brian, please give travis-tahoe temporary admin permission to tahoe-lafs/tahoe-lafs.
comment:7 follow-up: ↓ 8 Changed at 2013-09-01T16:47:32Z by daira
Oh hang on, I can test this myself with a different repo, to see whether it will work.
comment:8 in reply to: ↑ 7 ; follow-up: ↓ 9 Changed at 2013-09-01T17:35:30Z by daira
Replying to daira:
Oh hang on, I can test this myself with a different repo, to see whether it will work.
Actually I can't, because only an organisation can grant a user other than a repo's owner admin access to that repo. Creating an organisation requires a paid github account.
comment:9 in reply to: ↑ 8 Changed at 2013-09-01T19:27:59Z by daira
Replying to daira:
Creating an organisation requires a paid github account.
I was mistaken about that.
The result of the testing was that you can revoke Administrative access and the status updating still works, but you cannot revoke write (push) access.
comment:10 Changed at 2013-09-04T19:31:13Z by warner
I've used travis-ci on a different project (https://github.com/warner/python-versioneer). It's pretty nice. On that one, I revoked it's admin access after adding the post-commit hook which triggers builds. (from what I could tell, the main use case for that access was to simplify the hook installation, and could be done manually by copy/pasting some tokens from travis-ci into github's repo config page). I haven't explored the "mark a revision as passing" feature or what authority it needs.
You can add an IMG tag to the README which will show the current build status for a single branch. That's a non-authority-requiring way to display build status.
Is travis really capable of running our build and test suite? Its buildslaves are all donated by supporters, and impose a pretty strict timeout. The build-in-a-sandbox feature is pretty nice, but my general impression is that it's most suitable for small projects with simple dependencies (e.g. things which are pip-installable). I'll look at the test results you posted.
comment:11 Changed at 2013-09-04T20:59:07Z by warner
Hm, another thought is to run a small daemon on our hardware (org) that polls or watches travis-ci for build results, then uses the github API to update the build-status data. The github repo admin token would then live on our own box, not on the travis box.
comment:12 Changed at 2013-09-04T21:09:14Z by daira
Replying to warner:
Is travis really capable of running our build and test suite? Its buildslaves are all donated by supporters, and impose a pretty strict timeout.
The timeout is 50 minutes, or 10 minutes with no output, which is fine for Tahoe-LAFS' test suite.
Do you think the remaining permission issue is important enough to justify the separate daemon? It seems like quite a bit of work. Personally I don't mind that the travis-tahoe user can commit provided that it can only commit as itself, which I think is the case.
If revoking the admin permission after setting the hook is okay, then please give travis-tahoe admin access to tahoe-lafs/tahoe-lafs (in a new Team so that you can change that permission independently).
comment:13 Changed at 2013-10-02T00:47:17Z by warner
FYI, I've set up travis on some of my own projects with somewhat limited authority. To sign into travis at all, you have to grant it an awful lot of power (the basic OAuth request includes write access to your repositories). But there is an incantation you can speak to Github's API to reduce the scope of the travis-ci oauth token to do less. Before or after you attenuate the token like that, you can go to the travis account page and copy down the travis token. Then you can paste this token into the "travis-ci" service hook on one of your repositories.
Activating the hook with that token will, I believe, cause travis to start building things when you push a new change.
The incantation to attenuate the oauth token is (fill in USER and ID):
curl -u USER https://api.github.com/authorizations # note the "id" number for the Travis app. Ignore the Gist app. curl -X PATCH -d'{"remove_scopes": ["public_repo"]}' -u USER https://api.github.com/authorizations/ID curl -X PATCH -d'{"add_scopes": ["repo:status"]}' -u USER https://api.github.com/authorizations/ID
curl will ask for your github password with each request (it uses HTTP basic auth, over SSL).
One problem with this scheme is that, eventually (I'm not sure exactly when), your travis session will expire, and if you re-"sign in with github", it will replace the attenuated oauth token with a full-power one, and you'll have to do this dance again.
And of course, this attenuation removes travis's ability to automatically configure your repo's hooks for you. I don't think that's a problem: pasting the travis token into the webhook configuration seems to be enough to trigger builds.
And there's still the window of time (after sign-in, before the PATCH api call) during which travis gets full access to your repos.
comment:14 Changed at 2013-10-02T10:55:30Z by daira
I don't think the approach in comment:13 gives enough of a security improvement to be worth the complexity or hassle when the token expires. Shall we just give travis-tahoe admin access then revoke it (i.e. change to write access) after the automatic hook setting as described in comment:12? If I understand correctly, any undesired operations it did with the admin authority (well, other than deleting the repo) would show up in the log for tahoe-lafs/tahoe-lafs that is viewable through the github Web interface. Then, after the revocation, any write to the repo would show up as a push (possibly a force-push) by the travis-tahoe user, so it couldn't write silently.
comment:15 Changed at 2013-10-02T11:00:56Z by daira
BTW, seeing the hook manually seems to leave the travis Web interface in a state where it doesn't know that the repo has been enabled. That's why I don't want to do it that way.
comment:16 Changed at 2013-10-02T12:27:47Z by zooko
I'm okay with any of the authority-managing mechanisms mentioned above.
comment:17 Changed at 2013-10-23T15:15:36Z by zooko
What's the state of this ticket? Somebody move this forward, please! I think the current state is "Brian and Daira disagree about how to do it.", so I think the next-step is for the two of them to come to agreement and then go ahead and implement what they've agreed.
comment:18 Changed at 2013-10-23T15:46:14Z by daira
My last comments were comment:14 and comment:15; I was blocked on warner responding to those. Also I don't have the necessary permissions to grant the admin access (which is fine).
comment:19 Changed at 2014-02-26T15:42:30Z by daira
- Keywords brians-opinion-needed removed
- Milestone changed from undecided to soon (release n/a)
- Owner changed from warner to daira
- Status changed from new to assigned
https://github.com/travis-ci/travis-ci/issues/1390 has been fixed, so we should revisit this. I still think it's a good idea to use the travis-tahoe user for defence in depth.
comment:20 Changed at 2014-03-19T16:30:35Z by zooko
- Summary changed from decide whether to enable Travis-CI for the main Tahoe-LAFS repo to enable Travis-CI for the main Tahoe-LAFS repo
comment:21 follow-up: ↓ 22 Changed at 2014-09-01T15:06:01Z by daira
- Owner changed from daira to warner
- Status changed from assigned to new
warner: please add the travis-tahoe github user as a contributor to tahoe-lafs/tahoe-lafs (or alternatively, give the daira user admin access).
comment:22 in reply to: ↑ 21 Changed at 2014-09-01T15:24:50Z by daira
Replying to daira:
warner: please add the travis-tahoe github user as a contributor to tahoe-lafs/tahoe-lafs (or alternatively, give the daira user admin access).
Oh, actually travis-tahoe will still need admin access temporarily to add the webhook. So please give daira admin access, so that I can grant travis-tahoe admin access, turn on the webhook, and then revoke admin.
comment:23 Changed at 2014-09-09T18:27:12Z by daira
- Resolution set to fixed
- Status changed from new to closed
Fixed!
We also have build status badges on the tahoe-lafs.org frontpage and README.rst.
Also see #1810 #2052.