|Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.|
So... suddenly our builds will take days for someone to build it, grab it, test it, and promote it, and even then it's highly unlikely that they'd catch anything that a somewhat competent attacker would throw at us. There's no way anyone is going to take on this overhead.
On 09/14/2011 10:02 AM, Ed Merks wrote:
At no point have I seen anyone answer this question:
1. run a build on a remote system and compare the pre-signed binaries.
2. run a past build and compare today's binaries with those in the past.
3. run a build and examine the execution trace.
4. run a build, run the executable and examine network output for unknown activity.
On 14/09/2011 6:55 AM, Schaefer, Doug wrote:
And is this not an issue other Hudson/Jenkins users have run into? What are they doing for security. Or do they trust Hudson as much as they do ssh.
cross-project-issues-dev mailing list
Back to the top