Re: [incubation] Having Hudson push to GitHub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [incubation] Having Hudson push to GitHub

From: Mikaël Barbero <mikael@xxxxxxxxxxx>
Date: Wed, 2 Nov 2016 09:24:12 +0100
Delivered-to: incubation@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/incubation>
List-help: <mailto:incubation-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/incubation>, <mailto:incubation-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/incubation>, <mailto:incubation-request@eclipse.org?subject=unsubscribe>

Everything Gunnar said regarding security is true. However, we do support this use case and webmaster can setup a ssh deploy for your Hudson instance. You just need to fill a bug on the Community > Hudson component (https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Hudson) and ask for it.

Cheers,

Mikael

Le 1 nov. 2016 à 13:52, Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> a écrit :

GitHub support's the notion of dedicated repository SSH deploy keys. Those are decoupled from your user account and can be granted write access to a repository.

However, issues remains to any Hudson instance using such a key. As the Hudson user needs read access to the key and it's passphrase, it's possible for an attacker to create a Gerrit review or pull request that might expose the key. There is no way to prevent it unless it. Thus, the Mylyn team did put a whitelisting mechanism in place to auto-build/verify reviews only from trusted people.

As a GitHub hosted OSS project, you should use Travis.

See:
https://github.com/alrra/travis-scripts/blob/master/doc/github-deploy-keys.md
and
https://docs.travis-ci.com/user/pull-requests#Pull-Requests-and-Security-Restrictions

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

On 1 Nov 2016, at 09:43, Christoph Daniel Schulze <cds@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi everyone,

at the Eclipse Layout Kernel we are currently thinking about how best to
provide documentation about layout algorithms and supported layout
options to our users. The main place where we host documentation is our
GitHub wiki. What we are currently thinking about is to generate Wiki
documentation from the meta data about our algorithms at compile time
and push that to the wiki repository.

For this to work, our Hudson instance would need write access to that
repository. One way to do that would be to give it an SSH key for my
GitHub account, but that solution doesn't appeal to me very much for
security reasons. Does anyone do something similar with less security
problems?

I presume that it would probably be easier to give our Hudson write
access to our Eclipse website repository. However, I would prefer to
keep all documentation bundled up at a single place instead of spreading
it out over different websites.

Cheers,
Christoph Daniel

_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation

_______________________________________________
incubation mailing list
incubation@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/incubation

Follow-Ups:
- Re: [incubation] Having Hudson push to GitHub
  - From: Christoph Daniel Schulze

References:
- [incubation] Having Hudson push to GitHub
  - From: Christoph Daniel Schulze
- Re: [incubation] Having Hudson push to GitHub
  - From: Gunnar Wagenknecht

Prev by Date: Re: [incubation] Having Hudson push to GitHub
Next by Date: Re: [incubation] Having Hudson push to GitHub
Previous by thread: Re: [incubation] Having Hudson push to GitHub
Next by thread: Re: [incubation] Having Hudson push to GitHub
Index(es):
- Date
- Thread

Breadcrumbs