Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.

On 2011-09-13 23:56, Denis Roy wrote:

In my original email, I was suggesting that you perform some kind of validation that the build output you are about to copy is sane, where 'sane' can be as simple as 'weekly builds run at 10:00am on Wednesday, don't copy anything else'.

Right, but if we assume that Hudson has been compromised, how can I trust what was built 10:00am on Wednesday? How can any build trust anything that is produced? How can we assert that it hasn't been compromised without a very time consuming manual effort?

If we don't, then we will need very thorough checks of all material that we promote to the download area at all times.

As Eclipse enters embedded, runtime and server markets, doing that would be a bad idea? Does no one run a network sniffer to see if Eclipse, or any other software, is sending out random data to the world? Surely I'm not the only one who periodically examines my personal network traffic to see what I'm saying...?

I'm not saying that it would be a bad idea. I'm just saying that it's needed and that removing the ACL won't help much. I do think that a better idea, and probably a lot less work, would be to secure Hudson and make sure (to the extent possible of course) that it is safe.

Thomas Hallgren

Back to the top