www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@maniatis.org>
Subject Re: publishing artifacts from hudson build node to people.apache.org
Date Mon, 25 Jan 2010 01:33:41 GMT
I raised this on infra a little while ago and there was agreement that keeping SSH keys on
Hudson is pretty dangerous. At the least, the SSH user will need to be able to change your
live production web site. So any compromise of Hudson servers will by default allow an attacker
to change Apache web sites which lets them inject malicious keys, code, etc.

My way seems safer all around, with the downside is that you have to get your timing right
and the changes will happen with a bit of a delay. But for Javadoc, that didn't seem to be
a problem. Don't know about your requirements.

Ari


On 25/01/10 12:14 PM, Andreas Andreou wrote:
> Thanks... So, you're doing it the other way around... interesting !
>
> For the record, i've also found
> http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly-builds-on-apache-hudson.html
> which basically describes that the struts guys use the 'wesw' account
> for sshing to people.apache.org
>
> On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis<ari@maniatis.org>  wrote:
>> On 25/01/10 11:24 AM, Andreas Andreou wrote:
>>>
>>> How are people making this work? Is any apache project using hudson to
>>> update
>>> parts of their website?
>>
>> Yes, I'm pulling Javadocs from Hudson like this:
>>
>>   http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-site/bin/deployJavadoc.sh
>>
>>
>> Ari
>>
>> --
>> -------------------------->
>> Aristedes Maniatis
>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>>
>
>
>

-- 
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

Mime
View raw message