Learn more about these different git repos.
Other Git URLs
Consider one copr that adds 2 SCM packages like this:
$ for pkg in package1 package2; do copr edit-package-scm --clone-url https://src.fedoraproject.org/rpms/ ${pkg}.git --name ${pkg} --webhook-rebuild on --commit master $(whoami)/example; done
Now in Fedora, somebody opens a pull request (possibly malicious) on package1. It's a first pull request, so it is going to be at:
https://src.fedoraproject.org/rpms/package1/pull-request/1
The triggered build will end up in the example: pr:1 "directory" (due to pagure bug, the directory name is not displayed correctly here so I've inserted a space into it, please try to ignore it).
example: pr:1
Later, somebody opens a pull request on package2. It's a first pull request, so it is going to be at:
https://src.fedoraproject.org/rpms/package2/pull-request/1
The triggered build will end up in the example: pr:1 "directory" as well seeing the (possibly malicious) build of package1. Users installing the repo will get both builds.
This directory now has at last two different packages in it.
This is mostly an UX bug, but if stretched, it can be considered a security issue as well.
I think we should implement per-package integration (not per project), I claimed this is needed since beginning - so +1.
Reference to thread that triggered this issue: https://lists.fedorahosted.org/archives/list/copr-devel@lists.fedorahosted.org/thread/26ZXCMM5BNIFXLUVQ6JVEIAVUCM7VSZX/
The triggered build will end up in the example: pr:1 "directory" seeing the (possibly malicious) build of package1.
Fortunately build of package 2 doesn't see the package 1, because the pr:1 directory is not in list of repositories used for the build of those packages.
At least content of package 1 should not affect content of package 2. But dnf copr enable project:pr:1 would bring both packages, and that is usually not wanted.
dnf copr enable project:pr:1
Metadata Update from @praiskup: - Issue tagged with: RFE, UI
(I don't think this is an RFE.)
It is a matter of POV; and I need to discuss this on our meeting. We could add opt-in/opt-out per-package copr-dir separation, something like project:pkg:pr:id - that would be RFE. It's not a bug per original design, at least because I know the original decisions..
project:pkg:pr:id
The issue itself is not security related.
This issue has been migrated to GitHub: https://github.com/fedora-copr/copr/issues/767
Metadata Update from @nikromen: - Issue close_status updated to: MIGRATED - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.