| Re: [incubation] Having Hudson push to GitHub |
Hi everyone, many thanks for your helpful replies! :) Cheers, Christoph Daniel On 02/11/16 09:24, Mikaël Barbero wrote: > Everything Gunnar said regarding security is true. However, we do > support this use case and webmaster can setup a ssh deploy for your > Hudson instance. You just need to fill a bug on the Community > Hudson > component > (https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Hudson) > and ask for it. > > Cheers, > Mikael > >> Le 1 nov. 2016 à 13:52, Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx >> <mailto:gunnar@xxxxxxxxxxxxxxx>> a écrit : >> >> GitHub support's the notion of dedicated repository SSH deploy keys. >> Those are decoupled from your user account and can be granted write >> access to a repository. >> >> However, issues remains to any Hudson instance using such a key. As >> the Hudson user needs read access to the key and it's passphrase, it's >> possible for an attacker to create a Gerrit review or pull request >> that might expose the key. There is no way to prevent it unless it. >> Thus, the Mylyn team did put a whitelisting mechanism in place to >> auto-build/verify reviews only from trusted people. >> >> As a GitHub hosted OSS project, you should use Travis. >> >> See: >> https://github.com/alrra/travis-scripts/blob/master/doc/github-deploy-keys.md >> and >> https://docs.travis-ci.com/user/pull-requests#Pull-Requests-and-Security-Restrictions >> >> -Gunnar >> >> -- >> Gunnar Wagenknecht >> gunnar@xxxxxxxxxxxxxxx <mailto:gunnar@xxxxxxxxxxxxxxx>, http://guw.io/ >> >> >> >> >> >> >>> On 1 Nov 2016, at 09:43, Christoph Daniel Schulze >>> <cds@xxxxxxxxxxxxxxxxxxxxxx <mailto:cds@xxxxxxxxxxxxxxxxxxxxxx>> wrote: >>> >>> Hi everyone, >>> >>> at the Eclipse Layout Kernel we are currently thinking about how best to >>> provide documentation about layout algorithms and supported layout >>> options to our users. The main place where we host documentation is our >>> GitHub wiki. What we are currently thinking about is to generate Wiki >>> documentation from the meta data about our algorithms at compile time >>> and push that to the wiki repository. >>> >>> For this to work, our Hudson instance would need write access to that >>> repository. One way to do that would be to give it an SSH key for my >>> GitHub account, but that solution doesn't appeal to me very much for >>> security reasons. Does anyone do something similar with less security >>> problems? >>> >>> I presume that it would probably be easier to give our Hudson write >>> access to our Eclipse website repository. However, I would prefer to >>> keep all documentation bundled up at a single place instead of spreading >>> it out over different websites. >>> >>> Cheers, >>> Christoph Daniel >>> >>> _______________________________________________ >>> incubation mailing list >>> incubation@xxxxxxxxxxx <mailto:incubation@xxxxxxxxxxx> >>> To change your delivery options, retrieve your password, or >>> unsubscribe from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/incubation >> >> _______________________________________________ >> incubation mailing list >> incubation@xxxxxxxxxxx <mailto:incubation@xxxxxxxxxxx> >> To change your delivery options, retrieve your password, or >> unsubscribe from this list, visit >> https://dev.eclipse.org/mailman/listinfo/incubation > > > > _______________________________________________ > incubation mailing list > incubation@xxxxxxxxxxx > To change your delivery options, retrieve your password, or unsubscribe from this list, visit > https://dev.eclipse.org/mailman/listinfo/incubation >
Attachment:
signature.asc
Description: OpenPGP digital signature