From dev-return-8921-apmail-continuum-dev-archive=continuum.apache.org@continuum.apache.org Mon Jan 10 02:00:36 2011 Return-Path: Delivered-To: apmail-continuum-dev-archive@www.apache.org Received: (qmail 50365 invoked from network); 10 Jan 2011 02:00:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Jan 2011 02:00:35 -0000 Received: (qmail 53270 invoked by uid 500); 10 Jan 2011 02:00:35 -0000 Delivered-To: apmail-continuum-dev-archive@continuum.apache.org Received: (qmail 53123 invoked by uid 500); 10 Jan 2011 02:00:34 -0000 Mailing-List: contact dev-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@continuum.apache.org Delivered-To: mailing list dev@continuum.apache.org Received: (qmail 53115 invoked by uid 99); 10 Jan 2011 02:00:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Jan 2011 02:00:34 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of wsmoak@gmail.com designates 209.85.161.43 as permitted sender) Received: from [209.85.161.43] (HELO mail-fx0-f43.google.com) (209.85.161.43) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Jan 2011 02:00:27 +0000 Received: by fxm18 with SMTP id 18so19306833fxm.2 for ; Sun, 09 Jan 2011 18:00:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=BpW7Cwd4gHAE8f16Mm73cjoyJfW7P8atZbTj3Pf1BZA=; b=H//dq+mwI4FJaUx4UC1/lN2sFTbeKFettj7CnlUE3w+ImEYmr+J804FrTlGm4c+/7/ oO6NkdwM3jSmHEaiLrdhErS4syxC0+3tKXBbnf0QxeaRzErBo4jwWuhXK9Dt34ODZ168 MkA0Gy9Mf22Y9G+/v+ZO3/IyMtgvldLTBRiRg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=H5TSn9CRoqN32Dd5t90p0fbBPxovjZE4rAxld9kkvWNqYlQc7R0g+Ak/xTf9dhD6iw h9k6N2ycotY8jteFreOuTjKaF0NhfWpX+/rZdO8BVRSG5Q/lCeCDWiJ9Nlk/iR1YBOLl /8AWnGBO9iTlpl3q4vEviuZS8EzfuVKwiP4EQ= Received: by 10.223.73.198 with SMTP id r6mr1114715faj.14.1294624803300; Sun, 09 Jan 2011 18:00:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.4.215 with HTTP; Sun, 9 Jan 2011 17:59:43 -0800 (PST) In-Reply-To: References: From: Wendy Smoak Date: Sun, 9 Jan 2011 20:59:43 -0500 Message-ID: Subject: Re: Build agent security To: dev@continuum.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Any thoughts on this? -Wendy On Tue, Dec 28, 2010 at 4:39 PM, Wendy Smoak wrote: > This bit of CONTINUUM-2599 caught my eye: > > "Current workaround to get Build Agent's installation is by directly > using the Build Agent Web Service." > > I was under the impression that while the build agent would accept > XML-RPC requests from anyone, it would only send responses back to the > master defined in its config file. (See CONTINUUM-2044) > > Did something change and you are now able to connect directly to the > agent and do things/get information without an authorization check? > (There is no authentication/authorization on the build agent. > (right?)) > > In addition, a comment on 2044 reminded me that CONTINUUM-2545 added > unsecured webdav access to the working copy. > > Any thoughts on whether build agents should be better secured, and if so how? > > * http://jira.codehaus.org/browse/CONTINUUM-2599 > * http://jira.codehaus.org/browse/CONTINUUM-2044 > * http://jira.codehaus.org/browse/CONTINUUM-2545 > > -- > Wendy >