gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Simons <leosim...@apache.org>
Subject Re: [RT] Gumpy deploying websites?
Date Fri, 12 Mar 2004 15:06:47 GMT
Stefano Mazzocchi wrote:
> Gump is the most insecure system ever,

hpfft.

> since it downloads software from 
> all over the world. This means that even a committer of a library that 
> we depend upon could gain control of gump and use its ssh keys to upload 
> nasty content on your web site.

Gump security is based on its profile, environment, and permissions, 
just like for any other process. You could probably set up a restricted 
gump instance with a restricted profile, restricted access, etc etc. Run 
it on an infrastructure-controlled box. Run a restricted profile. Use 
http redirects, read only NFS mounts, or a pull based setup.

In other words: replace part of forrestbot with gump.

 From a security perspective, gump is a python script controlled using 
XML configuration that knows how to download things from cvs and svn, 
how to run ant and other tools on those downloaded things, and what to 
do with the results of those tool invocations.

This is not inherently less secure than, say, putting a crontab file in CVS.

-- 
cheers,

- Leo Simons

-----------------------------------------------------------------------
Weblog              -- http://leosimons.com/
IoC Component Glue  -- http://jicarilla.org/
Articles & Opinions -- http://articles.leosimons.com/
-----------------------------------------------------------------------
"We started off trying to set up a small anarchist community, but
  people wouldn't obey the rules."
                                                         -- Alan Bennett



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@gump.apache.org
For additional commands, e-mail: general-help@gump.apache.org


Mime
View raw message