Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.

I agree with Doug. 

At no point have I seen anyone answer this question:
 What can be done manually to determine if what's produced by Hudson is compromised or not?
Sure, I can download it and run it or even bash it with rocks and poke it with pointy sticks, but what will tell me if there's something bad lurking in there?

I also have to question whether this change during the SR1 shutdown phase is appropriate timing...


On 14/09/2011 6:55 AM, Schaefer, Doug wrote:
I'll come back to something Dave Carver mentioned yesterday. If we don't trust Hudson, then we shouldn't be using it, or at least should be wrapping it up in tighter security, like a VPN for example. If someone is going to do something malicious and they're smart, you're likely not going to be able to discover it. You have to cut it at the source.

And is this not an issue other Hudson/Jenkins users have run into? What are they doing for security. Or do they trust Hudson as much as they do ssh.


cross-project-issues-dev mailing list

Back to the top