www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gav..." <ga...@16degrees.com.au>
Subject RE: publishing artifacts from hudson build node to people.apache.org
Date Mon, 25 Jan 2010 01:47:17 GMT


> -----Original Message-----
> From: Aristedes Maniatis [mailto:ari@maniatis.org]
> Sent: Monday, 25 January 2010 11:34 AM
> To: builds@apache.org
> Subject: Re: publishing artifacts from hudson build node to
> people.apache.org
> 
> I raised this on infra a little while ago and there was agreement that
> keeping SSH keys on Hudson is pretty dangerous. At the least, the SSH
> user will need to be able to change your live production web site. So
> any compromise of Hudson servers will by default allow an attacker to
> change Apache web sites which lets them inject malicious keys, code,
> etc.
> 
> My way seems safer all around, with the downside is that you have to
> get your timing right and the changes will happen with a bit of a
> delay. But for Javadoc, that didn't seem to be a problem. Don't know
> about your requirements.

I agree. I don't think having slaves and/or committer user accts ssh-ing
directly to people is a good idea.
Slaves should be considered untrusted.

What I think might be a better setup, is for projects to be able to deploy
to a temp staging area on the 
Hudson Master. The Hudson master then has a special acct to be able to sync
to people. So, one restricted
specially setup acct from the master rather than many untrusted users from
many untrusted slaves.

Gav...

> 
> Ari
> 
> 
> On 25/01/10 12:14 PM, Andreas Andreou wrote:
> > Thanks... So, you're doing it the other way around... interesting !
> >
> > For the record, i've also found
> > http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly-
> builds-on-apache-hudson.html
> > which basically describes that the struts guys use the 'wesw' account
> > for sshing to people.apache.org
> >
> > On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis<ari@maniatis.org>
> wrote:
> >> On 25/01/10 11:24 AM, Andreas Andreou wrote:
> >>>
> >>> How are people making this work? Is any apache project using hudson
> to
> >>> update
> >>> parts of their website?
> >>
> >> Yes, I'm pulling Javadocs from Hudson like this:
> >>
> >>   http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-
> site/bin/deployJavadoc.sh
> >>
> >>
> >> Ari
> >>
> >> --
> >> -------------------------->
> >> Aristedes Maniatis
> >> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
> >>
> >
> >
> >
> 
> --
> -------------------------->
> Aristedes Maniatis
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A



Mime
View raw message