|Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.|
On 2011-09-14 09:17, Gunnar Wagenknecht wrote:
If everyone needs a cron-job to copy stuff, then this protection is just an illusion since a compromised Hudson would be able to produce just about anything and have it copied to just about any location by some cron-job. It just needs to disguise it's malicious artifacts as a targeted projects build result. How is that different from having an ACL that permits Hudson to write to your download area?Thus, the cron job is inherently more secure because it protects others. It's still not perfect because it doesn't protect your stuff. The only option I see (for now) is avoiding automation when promoting to download.eclipse.org but do it manually.
We also need to ask this question for allowing Hudson to invoke the sign script. If Hudson is hijacked, the Eclipse signing certificate needs to be revoked which breaks all previously signed stuff.
This is true. If we don't trust what Hudson produces, how can we put our certificate stamp on it? Regards, Thomas Hallgren
Back to the top