Hacker News new | ask | show | jobs
by benjamkovi 7 days ago
ClickHouse dev here, but this is true. ClickHouse contributed finding several bugs on our third-party libs (jemalloc, librdkafka for 100%, there much more, but I only worked on these), in linux kernel and basically everywhere. We have very rigorous fuzzers (yes, multiple fuzzers on multiple levels), running tests in insane number of configurations. I think the last number I heard a year ago is around 400 hours for a complete CI run for a single commit (not PR, but commit). So yeah, pretty insane, in the good way.
1 comments
dmurray 5 days ago
Does it ever get abused?

"This PR introduces the ability for Clickhouse to mine Bitcoin...":

link
zX41ZdbW 5 days ago
The CI only runs after one of the maintainers adds a "can be tested" label. When the label is already added, it stops when any of the infrastructure-related files are modified, like Dockerfile, CI configurations, etc. This is quite ok, but not 100% bulletproof, as you can easily do weird things by modifying the code or using a bug in the compiler. However, the CI infrastructure runs on isolated machines inside an isolated account.

Before adding the label, we have to check the diff for suspicious things. There were a few abuse attempts (all of them were from now vanished GitHub accounts).

link
zX41ZdbW 5 days ago
Found one example that survived, and it was legitimate: https://github.com/ClickHouse/ClickHouse/pull/99522/changes
link