[SECURITY ALERT] XSS Vulnerability in Console - 0.8.0p1 and 0.8.1p1

SUMMARY

Amber Yust has discovered and fixed several cross-site scripting
vulnerabilities in the Buildbot console.  This vulnerability allows an
attacker to craft a URL targetting a specific Buildbot instance, and
run arbitrary browser-side code in the context of that Buildbot
instance.  This constitutes a security risk both for the Buildbot
instance and for any other services hosted on the same domain as that
Buildbot instance, and is a particular threat when browsers'
same-origin policy is used to protect sensitive information such as
cookies.

Note that Buildbot itself does not use cookies (even in the IAuth
framework), so the risk for a standalone buildbot instance is somewhat
limited.  Even so, all users are urged to upgrade or apply the patch
given in the MITIGATION section, below.

The vulnerabilities are limited to the console view, and do not
affect Buildbot slaves.

AFFECTED VERSIONS
 buildbot-0.8.0
 buildbot-0.8.1

UNAFFECTED VERSIONS
 all earlier versions

MITIGATION

All users of Buildbot are urged to patch their installations.  Patches

How to make SVN step checkout a few source dirs?

Greetings,

I'd like to have it check out say: $SVN_URL/trunk/{src,regress} but
skip the 9 other directories at that level.
Currently I have it checking out $SVN_URL/trunk  but that gets me
several GB of files not needed for the build.

Migrating from CVS -> SVN and the CVS() step has the modules arg which
we are using with CVS.

Thanks,
Bill

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

Re: How to make SVN step checkout a few source dirs?

 On 10/2/2010 7:04 PM, Bill Deegan wrote:
> Greetings,
>
> I'd like to have it check out say: $SVN_URL/trunk/{src,regress} but
> skip the 9 other directories at that level.
> Currently I have it checking out $SVN_URL/trunk  but that gets me
> several GB of files not needed for the build.

I may be way off (I've never needed to do what you need to do, so feel free to
ignore me), but wouldn't multiple SVN steps do the trick for you?  E.g.:

   ...
   myStep.addStep(source.SVN(mode="update", svnurl="$SVN_URL/trunk/src",
workdir="<dir>"))
   myStep.addStep(source.SVN(mode="update", svnurl="$SVN_URL/trunk/regress",
workdir="<dir>"))
   ...

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

Re: buildbot try and virtualenv

On Mon, Sep 27, 2010 at 8:36 PM, Doug Latornell <djl@...> wrote:
> These all look like breaking changes to me. Does that mean that the
> old forms need to remain but raise DeprecationWarnings, or should I
> just go ahead and make changes with no regard for backward
> compatibility?

I would prefer to keep backward-compatibility where possible, but if
there's a conflict, I'm happy to add it to NEWS and ask upgraders to
alter their configurations (as long as the alteration is simple).

Dustin

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

Re: Buildbot at/with OpenERP

On Wed, Sep 29, 2010 at 3:26 AM, P. Christeas <p_christ@...> wrote:
> Please consider pulling from it.

Thanks!  And sorry for the delay..

Looking at the patches in that repo:

----

commit 844760e1d575f098647902e0da98541144713b3d
Author: P. Christeas <p_christ@...>
Date:   Fri Aug 13 20:00:36 2010 +0300

    Setup: quick hack to avoid downloading/installing requirements.

    When building for a distro, having intermediate steps like requirements
    auto-download is forbidden. Until I find some better method, I put an
    env var "NO_INSTALL_REQS" to supress that behavior.

I suspect this will be useful to others, and I've pulled it and added
some documentation.

----

commit 3d4e18cfcfc06106ea458bb58a81b3f1585088b1
Author: P. Christeas <p_christ@...>
Date:   Fri Sep 10 10:47:20 2010 +0300

    master, dbspec: Allow DbSpec to be fully overriden

Re: repo and gerrit support to buildbot

On Wed, Sep 29, 2010 at 3:59 AM, Neal Chant <neal@...> wrote:
> I'll dig it out, it works, but never made it to production - we ended up
> using qemu-img creating sparse clones from templates and then virsh.

Sounds exciting - do you have time to clean it up and get it merged
into buildbot?

Dustin

--

-- 
Open Source Storage Engineer
http://www.zmanda.com

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

Image upgrade for Buildbot - want to help?

If you haven't noticed, http://buildbot.net is kind of drab.  The part
about the security alert doesn't help anything, either, but I think
the project needs to take its lumps for that.

Anyway, I'd like to upgrade things, but I'm no designer or copywriter.
 I'd like:

 - A decent-looking, non-Trac, landing page

 - Some more peppy "what the heck is Buildbot" text (in particular,
Buildbot gets used as much for building binaries as for testing, but
the current description focuses on testing)

 - A theme we can apply to Trac, the manual, the API docs, and the
metabuildbot, that ties everything together a little bit more

No flash splash-screen (no flash at all, por favor), no huge images,
no marketing fluff.. just a facelift.

Is anyone interested in taking this on?  I'm happy to reconfigure
buildbot.net as necessary and do whatever other integration is
required.

Dustin

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.

Re: repo and gerrit support to buildbot

On Sun, 2010-10-03 at 17:00 -0500, Dustin J. Mitchell wrote:
> On Wed, Sep 29, 2010 at 3:59 AM, Neal Chant <neal@...> wrote:
> > I'll dig it out, it works, but never made it to production - we ended up
> > using qemu-img creating sparse clones from templates and then virsh.
> 
> Sounds exciting - do you have time to clean it up and get it merged
> into buildbot?

Attached the original (part) master.cfg for virsh control of VMs, note
the comment on getting an instant VM stop.

For the particular project, we found the Windows VMs a big PITA and
didn't end up using this. The final virsh controller was bash (python is
on the 'to pickup' list). I'm happy to help where possible.

The project is happily building Linux-ant, Windows-C#, Windows-WP7 all
fed from SVN to on-demand fresh VMs.

Neal

# -*- python -*-
# ex: set syntax=python:

from twisted.internet import defer, threads
from buildbot.buildslave import AbstractLatentBuildSlave
import libvirt

# NOTES

how to link gerrit change to repo

Hello list,
I'm looking for some advice implementing the repo+gerrit advanced features.

Here is the current design:

gerritchangesource is getting change events from gerrit ssh server.
Two types of events are useful.

change-merged: means a new change has entered the mainline. buildset
can be triggered to rebuild the mainline for every platform.
This is the trivial case, currently implemented and working.

patchset-created; means that a developer is pushing a new patch for
review. Usually, buildbot user wants to make a build with this patch
to see if it compiles, and then try to run the result.

 1) automatically, the patch is applied on top of a the latest
mainline, build are triggered for everyplatform. repo source fetcher
can extract patch information from the change properties.
 2) The developer tells this is a set of 4 patches that are mutually
interdependant (but not managed by gerrit as dependant). buildbot user
 must tell buildbot manually (via web interface) what patches to apply
on top of mainline

I'm looking on how to implement use cases 1 and 2 with the same
mechanism. I have idea on how to hack 2 with repo source fetcher
looking on specially crafted property, but I'm not very happy with it.
It is possible to report the user the list of old changes and let him
trigger a build by selecting several of them?

Builder parameters in sample.cfg

I was looking at the sample master.cfg file that gets generated by
buildbot, and it seems as though some of the information is getting
out-of-date.

For instance, master/buildbot/scripts/sample.cfg refers to
periodicBuildTime, which has been moved to the periodic schedulers.
Also, 'builddir' is no longer required, and has reasonable defaults
based on the name. There are a bunch more options in the
documentation.

Would it make sense to just list the required parameters, and refer to
the documentation for the rest?

--

-- 
- Charles Lepple

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb