Return-Path: Delivered-To: apmail-gump-general-archive@www.apache.org Received: (qmail 4819 invoked from network); 12 Mar 2004 14:38:21 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 12 Mar 2004 14:38:21 -0000 Received: (qmail 83462 invoked by uid 500); 12 Mar 2004 14:37:58 -0000 Delivered-To: apmail-gump-general-archive@gump.apache.org Received: (qmail 83392 invoked by uid 500); 12 Mar 2004 14:37:58 -0000 Mailing-List: contact general-help@gump.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Gump code and data" Reply-To: "Gump code and data" Delivered-To: mailing list general@gump.apache.org Received: (qmail 83217 invoked from network); 12 Mar 2004 14:37:56 -0000 Received: from unknown (HELO pulse.betaversion.org) (217.158.110.65) by daedalus.apache.org with SMTP; 12 Mar 2004 14:37:56 -0000 Received: (qmail 2602 invoked from network); 12 Mar 2004 14:37:56 -0000 Received: from unknown (HELO apache.org) (stefano@65.96.189.168) by pulse.betaversion.org with SMTP; 12 Mar 2004 14:37:56 -0000 Message-ID: <4051CB4E.7000608@apache.org> Date: Fri, 12 Mar 2004 09:38:06 -0500 From: Stefano Mazzocchi Organization: Apache Software Foundation User-Agent: Mozilla Thunderbird 0.5 (Macintosh/20040208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gump code and data Subject: Re: [RT] Gumpy deploying websites? References: <09fb01c4074e$b8b46490$2502a8c0@vma> In-Reply-To: <09fb01c4074e$b8b46490$2502a8c0@vma> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040709010107080404010102" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N --------------ms040709010107080404010102 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Vincent Massol wrote: > Hi, > > In the past, Sam had provided some configuration so that Gump would > upload every day the Cactus website (built as part of the Cactus build) > to jakarta.apache.org/cactus. That was quite nice. > > I'd love to see Gump(y) add even more value to projects (such as > deploying their web sites every night - for Apache projects who > configure this in their deployment descriptors). > > Note: I think related security issues can be solved without too much > problem (for example by allowing only to deploy to cvs.apache.org). > > Thoughts? -1 this is a asking for trouble. Gump is the most insecure system ever, since it downloads software from all over the world. This means that even a committer of a library that we depend upon could gain control of gump and use its ssh keys to upload nasty content on your web site. In a security chain, the weakest ring is the problem, not the strongest, and gump has soooooo many of these weak rings that it is actually impressive that nothing has happened so far. There are talks with infrastructure guys about setting up the new gump machine so that it is *wiped out* every night and reinstalled completely from scratch, operating system included. Rather drastic, I agree, but if we want gump to be trusted by the HTTPD folks we must start thinking about security way more seriously and not trust any artifact that gump produces. -- Stefano. --------------ms040709010107080404010102 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7TCC AtEwggI6oAMCAQICAwsi0jANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDMxMTEzMDE0OTU4WhcNMDQxMTEyMDE0OTU4 WjBEMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSEwHwYJKoZIhvcNAQkBFhJz dGVmYW5vQGFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2CMYD GJqn0K4hpdDlpgbFlGxlFh2mp5EZyY3cu9nmp2wcl+vGn1Wcc103mshOV7BYHnBnR9CBNI5E /l/S/hKj0jgd0jH9/aKqmExZkLWsC7kCLANKPPDFl/sPGTHnpkQhvUbDjlUZa/h77oVFowBg IZjdJWadNzssPJ5wnGdfuYr+4ZI2xEWjH0tZY6V4TpILRg/jp3F6x/avqjNGBA1KOp6OzXdh 0RfvXEMEXDu6AZTD+flQxOjKp+IHtSO7suwkKg9ffx7Gh2LGKE24sBNE8SEPYHRtchutpQh9 YFW30HVgLgq9rM8lUx6JA7D4akj/A2Wc3tr+BBqpUkvgm3b/AgMBAAGjLzAtMB0GA1UdEQQW MBSBEnN0ZWZhbm9AYXBhY2hlLm9yZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB AGfFFcM8lPwGLk1c5dHqMMbvR+i9MAWCNVoA2mHloOHW3Lv0peihvloRht8+lIK4+LpoygMQ beh+piuu/tcP+Z8W0Gee1pPiy0WfDbg5ZHfNvUswUSkoBP/nxL1yoHifBffxIm5IZNIxIj/l fStsMv5X8Tb/+KZY4T+iU/QU5t6UMIIC0TCCAjqgAwIBAgIDCyLSMA0GCSqGSIb3DQEBBAUA MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wMzEx MTMwMTQ5NThaFw0wNDExMTIwMTQ5NThaMEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBN ZW1iZXIxITAfBgkqhkiG9w0BCQEWEnN0ZWZhbm9AYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALYIxgMYmqfQriGl0OWmBsWUbGUWHaankRnJjdy72eanbByX 68afVZxzXTeayE5XsFgecGdH0IE0jkT+X9L+EqPSOB3SMf39oqqYTFmQtawLuQIsA0o88MWX +w8ZMeemRCG9RsOOVRlr+HvuhUWjAGAhmN0lZp03Oyw8nnCcZ1+5iv7hkjbERaMfS1ljpXhO kgtGD+OncXrH9q+qM0YEDUo6no7Nd2HRF+9cQwRcO7oBlMP5+VDE6Mqn4ge1I7uy7CQqD19/ HsaHYsYoTbiwE0TxIQ9gdG1yG62lCH1gVbfQdWAuCr2szyVTHokDsPhqSP8DZZze2v4EGqlS S+Cbdv8CAwEAAaMvMC0wHQYDVR0RBBYwFIESc3RlZmFub0BhcGFjaGUub3JnMAwGA1UdEwEB /wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZ8UVwzyU/AYuTVzl0eowxu9H6L0wBYI1WgDaYeWg 4dbcu/Sl6KG+WhGG3z6Ugrj4umjKAxBt6H6mK67+1w/5nxbQZ57Wk+LLRZ8NuDlkd829SzBR KSgE/+fEvXKgeJ8F9/Eibkhk0jEiP+V9K2wy/lfxNv/4pljhP6JT9BTm3pQwggM/MIICqKAD AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD 6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC 3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIElzc3VpbmcgQ0ECAwsi0jAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMTIxNDM4MDZaMCMGCSqGSIb3DQEJ BDEWBBTqF76ZCRdyvJ5OGn29vjK3EJnSeTBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMH MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB KDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg SXNzdWluZyBDQQIDCyLSMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJaQTElMCMG A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwsi0jANBgkqhkiG9w0BAQEFAASCAQAoMvj0 zF3JrLfzxTfxRBReyBSg0h55sIIoFanxzwv2fq8bkwCIuDdKPSv9FI59iVMEk1T2dJhC+ziy IcnmDm7CsqMK3pfP8y7wl9xsVegOJCZ0v5f7yvkvainjddqM4T4xHHHwM5Z2Hs7Ws+EWttoh g0/1E+C1GSQV3RwVKgcxCkr0mJKOedKDrJq2/WfEdQa46DWuIp3a+Emp0p8HzY6pPbesRdIS vQJt7ZB0VJSHrRN19qlkmaw4wsCATXAw+O6kcQFBBklvOhf707HbIOJ0e/rIHF31mRYMmx53 107UZ5BeJv8Au1voK7X0Y9oh9mPgjO6/jXx/2Lgcz4NEJ8SZAAAAAAAA --------------ms040709010107080404010102--