[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
|
On 2011-09-14 09:17, Gunnar Wagenknecht wrote:
Thus, the cron job is inherently more secure because it protects others.
It's still not perfect because it doesn't protect your stuff. The only
option I see (for now) is avoiding automation when promoting to
download.eclipse.org but do it manually.
If everyone needs a cron-job to copy stuff, then this protection is just an illusion since a compromised Hudson would be
able to produce just about anything and have it copied to just about any location by some cron-job. It just needs to
disguise it's malicious artifacts as a targeted projects build result. How is that different from having an ACL that
permits Hudson to write to your download area?
We also need to ask this question for allowing Hudson to invoke the sign
script. If Hudson is hijacked, the Eclipse signing certificate needs to
be revoked which breaks all previously signed stuff.
This is true. If we don't trust what Hudson produces, how can we put our certificate stamp on it?
Regards,
Thomas Hallgren
