Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea. 
Am 13.09.2011 21:48, schrieb Igor Fedorenko:
> Can you elaborate on the suggested promotion job approach? What are the
> security advantages of forcing extra layer of automation in this
> particular case? I am not a security expert, but if Hundon instance gets
> compromised and changed to produce "bad" artifacts with "good"
> signatures and checksums, wouldn't the promotion job make these
> bad artifacts available from download.e.o?

There are a few things to consider.

The cron job runs under your user id, i.e. it will only be able to mess
up your stuff on download.eclipse.org. The Hudson server runs under the
Hudson user id, i.e. it will be able to mess up your stuff and stuff
from others.

Thus, the cron job is inherently more secure because it protects others.
It's still not perfect because it doesn't protect your stuff. The only
option I see (for now) is avoiding automation when promoting to
download.eclipse.org but do it manually.

Most of the time, we like the automation because it makes builds
immediately consumable by others. That's a crucial feature to have. But
I really wonder if nightly/intermediate builds needs to be available on
download.eclipse.org or if they could be made available on
randomnotsosecurestuff.eclipse.org.

We also need to ask this question for allowing Hudson to invoke the sign
script. If Hudson is hijacked, the Eclipse signing certificate needs to
be revoked which breaks all previously signed stuff.

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx
http://wagenknecht.org/

Back to the top