Security: please pay careful attention to code running through CI

[rvagg]

Dear @nodejs/collaborators, in light of the recent news about the devastating CPU security flaws discovered by Google's Project Zero, I'd to remind you that we rely on you to review and take responsibility for code submitted to the shared CI system we use for Node.js, libuv and other projects. There is a checkbox you have to click that acknowledges this when requesting a build. Allowing arbitrary code to be run in our CI system opens us up to potential subversion of the integrity of our build, test and benchmark infrastructure so it's vital that you have a good knowledge of the code changes that you are sending through Jenkins. Don't tick that box lightly.
We keep our release infrastructure separate to help mitigate security problems, but, we run a significant amount of infrastructure and having to clean up after even a trivial breach in our test infrastructure could be quite costly on our time and resources and we'd really rather not have to go through that.

[benjamingr]

@rvagg has there been any instance of abuse in the past?

Do you think running automated tools to analyze code before it's run on the CI is justified?

[seishun]

This is a perfect opportunity to finally retire EOL machines that won't get a security update (#961, #962, #967).

[maclover7]

EOL machines (not supported and won't be receiving security updates):

release-digitalocean-centos5-x64-1
release-softlayer-centos5-x86-1
test-digitalocean-centos5-x86-1
test-softlayer-centos5-x64-1
test-softlayer-centos5-x64-2
test-digitalocean-fedora23-x64-1
test-rackspace-fedora23-x64-1
test-digitalocean-fedora24-x64-1
test-rackspace-fedora24-x64-1
test-digitalocean-fedora25-x64-1
test-digitalocean-fedora25-x64-2

Adding this to build-agenda so we can discuss during the next meeting

[rvagg]

@benjamingr nothing major, no.

Re removing old machines: Ubuntu 12.04 is in extended support and I'm hoping to convince canonical to comp us a subscription. Regarding CentOS 5 we need it for Node 4, although I might try and reach out to Red Hat (a member of the NF) to try and get a RHEL subscription to extend that, I'm not sure where we'd run a VM, however. Either way we're stuck with it for now. Regarding Fedora, refer to that discussion, they're holding on because "if we can continue to test older distros and have the capacity to do so then we may as well" is the policy we have at the moment. I'm meh on that policy so I'd be happy to ditch older Fedora to clean up but we'll have to discuss amongst Build.

[mhdawson]

Let Rod PR change in for Fedora, and then remove.

[maclover7]

Many of the EOL machines have been removed from the cluster, closing this for now. CentOS5 is still needed for older Node version releases.