gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Simons <lsim...@jicarilla.org>
Subject Re: legalities of jar publishing
Date Sun, 27 Jun 2004 10:02:17 GMT
Sebastian Bazley wrote:
>>I agree with Leo that the problem of jar distribution is absolutely not
>>technical, it's legal and security. Gump executes code downloaded from
>>repositories that the ASF doesn't consider legally trustful.
>>
>>say I was the author of a weird library that some weird commons code
>>depended on, it is entirely possible to write a task in a build.xml file
>>that recompiles a class in tomcat and opens a back door, it might take a
>>while to notice.
> 
> One of the Gump Wiki pages -
> http://wiki.apache.org/gump/BrutusConfig/RequestANightlyBuild - states
> 
> "You can set up your own nightly builds in your shell account on minotaur."
> 
> Is the output from such builds publishable?

that is at the discretion of the relevant governing PMC. Like also 
detailed on the wiki, I'm figuring out how to set this up on brutus 
(without having to create 200 accounts). Infrastructure will /not/ be 
pleased if dozens of people start doing this.

Especially not for code that has tests that opens up ports, looks for X, 
etc etc etc. In fact, I'm going to remove that notice now :-D

> The builds need not automatically fetch software from anywhere but the
> Apache CVS, which means that the backdoor scenario above should not happen.

well, that's still a bit of a risk. If someone's account is hacked, a 
backdoor is introduced, and is fixed 24 hours later, there'll be a 
nightly build containing the backdoor. Etc etc. Learn to be paranoid.

- LSD

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@gump.apache.org
For additional commands, e-mail: general-help@gump.apache.org


Mime
View raw message