Re: [cross-project-issues-dev] Why allowing Hudson to write to your down

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.

From: Thomas Hallgren <thomas@xxxxxxx>
Date: Wed, 14 Sep 2011 09:46:17 +0200
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110831 Fedora/3.1.12-2.fc14 Lightning/1.0b2 Thunderbird/3.1.12

On 2011-09-14 09:42, Gunnar Wagenknecht wrote:

Am 14.09.2011 09:29, schrieb Thomas Hallgren:

How is that different from having an ACL that
permits Hudson to write to your download area?

Well, I don't have to run the cron job., i.e. it's it's under *my* control.

Indeed. My point is that if everyone writes a cron-job in order to gain control, then we move the responsibility to eachindividual project to ensure that what it copies is secure. How can each project ensure that if we assume that Hudson iscompromised? I have no idea how I should write a cron-job that would detect malicious code cleverly hidden in a Hudsonbuild result. Do you? Does anyone?


- thomas

Follow-Ups:
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Stéphane Bouchet

References:
- [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Denis Roy
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Igor Fedorenko
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Thomas Hallgren
- Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
  - From: Gunnar Wagenknecht

Prev by Date: Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
Next by Date: Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
Previous by thread: Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
Next by thread: Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.
Index(es):
- Date
- Thread

Breadcrumbs