Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.

Hi,

initially, denis talked about security breach that could allow hudson user to access download area and can then be able to corrupt file or worse.

you are talking about something different, that is important too.

For the first question, that talk about only user privileges and access security, i've set up a cron for integration and nighlty, and for stable and releases, i personnally do promotion.

Your question is about hudson security that could permit somebody to corrupt files produced by hudson. i don't have answer for this one.


my 2c,




Le 14/09/2011 09:46, Thomas Hallgren a écrit :
On 2011-09-14 09:42, Gunnar Wagenknecht wrote:
Am 14.09.2011 09:29, schrieb Thomas Hallgren:
How is that different from having an ACL that
permits Hudson to write to your download area?
Well, I don't have to run the cron job., i.e. it's it's under *my*
control.

Indeed. My point is that if everyone writes a cron-job in order to gain
control, then we move the responsibility to each individual project to
ensure that what it copies is secure. How can each project ensure that
if we assume that Hudson is compromised? I have no idea how I should
write a cron-job that would detect malicious code cleverly hidden in a
Hudson build result. Do you? Does anyone?

- thomas

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev


begin:vcard
fn;quoted-printable:St=C3=A9phane Bouchet
n;quoted-printable:Bouchet;St=C3=A9phane
org:Obeo
adr;quoted-printable:BP 20773;;7 Boulevard Amp=C3=A8re;CARQUEFOU;;44481;France
email;internet:stephane.bouchet@xxxxxxx
tel;work:02-51-13-61-67
x-mozilla-html:FALSE
url:http://www.obeo.fr
version:2.1
end:vcard


Back to the top