Return-Path: Delivered-To: apmail-continuum-dev-archive@www.apache.org Received: (qmail 15159 invoked from network); 28 Dec 2010 21:40:08 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 28 Dec 2010 21:40:08 -0000 Received: (qmail 58937 invoked by uid 500); 28 Dec 2010 21:40:08 -0000 Delivered-To: apmail-continuum-dev-archive@continuum.apache.org Received: (qmail 58872 invoked by uid 500); 28 Dec 2010 21:40:07 -0000 Mailing-List: contact dev-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@continuum.apache.org Delivered-To: mailing list dev@continuum.apache.org Received: (qmail 58864 invoked by uid 99); 28 Dec 2010 21:40:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Dec 2010 21:40:07 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of wsmoak@gmail.com designates 209.85.161.43 as permitted sender) Received: from [209.85.161.43] (HELO mail-fx0-f43.google.com) (209.85.161.43) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Dec 2010 21:40:01 +0000 Received: by fxm18 with SMTP id 18so10145112fxm.2 for ; Tue, 28 Dec 2010 13:39:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=DZxsDTv786byrzFIoU4oCnvbXA2FV0dCUVx31sdR5dA=; b=fQUaUWAiAhmOhZqfmhGoCFAvuT2temU5Y3R5pZWFRiohaxf1bq8ZnZiy8Vd4V2ckmc oE7rkJDhsxsrp6R4Bvn+XDcXyAnNCoimuw2Re1HKtQ/5QSACLBHM/4lIO7UoiAOnJAdY K0FZnXBC/RogHzdSF4DyXwqJgnvIVtaHVHCRU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Pc3xVGUu79TCX/Ri/N2XDJLij8qy+4NN4AlEq3O+rwNyvPKwvbfRdasmlP1D82LKuE RQG+hkBRUIDuWkC6Tr38I9DDg4bkyim/BnkMeO8ytzCQ088xQFPM7W0GCEThw4Q2XMby SzaqO+SNtP1pF/Xozx8wy+A3tIrDDlHAAb+dw= Received: by 10.223.87.80 with SMTP id v16mr1520927fal.128.1293572380052; Tue, 28 Dec 2010 13:39:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.4.215 with HTTP; Tue, 28 Dec 2010 13:39:19 -0800 (PST) From: Wendy Smoak Date: Tue, 28 Dec 2010 16:39:19 -0500 Message-ID: Subject: Build agent security To: dev@continuum.apache.org Content-Type: text/plain; charset=ISO-8859-1 This bit of CONTINUUM-2599 caught my eye: "Current workaround to get Build Agent's installation is by directly using the Build Agent Web Service." I was under the impression that while the build agent would accept XML-RPC requests from anyone, it would only send responses back to the master defined in its config file. (See CONTINUUM-2044) Did something change and you are now able to connect directly to the agent and do things/get information without an authorization check? (There is no authentication/authorization on the build agent. (right?)) In addition, a comment on 2044 reminded me that CONTINUUM-2545 added unsecured webdav access to the working copy. Any thoughts on whether build agents should be better secured, and if so how? * http://jira.codehaus.org/browse/CONTINUUM-2599 * http://jira.codehaus.org/browse/CONTINUUM-2044 * http://jira.codehaus.org/browse/CONTINUUM-2545 -- Wendy