www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gavin McDonald <ipv6g...@gmail.com>
Subject Re: Can we package release artifacts on builds.a.o?
Date Sat, 08 Dec 2018 15:54:05 GMT
additionally, nobody should have their creds stored anyway other than their
own machine.

On Sat, Dec 8, 2018 at 3:49 PM Allen Wittenauer
<aw@effectivemachines.com.invalid> wrote:

>
>
> > On Dec 7, 2018, at 11:56 PM, Alex Harui <aharui@adobe.com.INVALID>
> wrote:
> >
> >
> >
> > ´╗┐On 12/7/18, 10:49 PM, "Allen Wittenauer" <aw@effectivemachines.com.INVALID>
> wrote:
> >
> >
> >
> >> On Dec 7, 2018, at 10:22 PM, Alex Harui <aharui@adobe.com.INVALID>
> wrote:
> >>
> >> Maven's release plugins commit and push to Git and upload to
> repository.a.o.  I saw that some folks have a node that can commit to the
> a.o website SVN.  Is anyone already doing releases from builds?  What
> issues are there, if any?
> >
> >       It's just flat out not secure enough to do a release on.
> >
> > Can you give me an example of how it isn't secure enough?
>
>
>         The primary purpose of these servers is to run untested,
> unverified code.
>
>         Jenkins has some very sharp security corners that makes it
> trivially un-trustable.  Something easy to understand: when Jenkins is
> configured to run multiple builds on a node, all builds on that node run in
> the same user space. Because there is no separation between executors, it's
> very possible for anyone to execute something that modifies another running
> build.  For example, probably the biggest bang for the least amount of work
> would be to replace jars in the shared maven cache.
>
>         [... and no, Docker doesn't help.]
>
>         There are other, bigger problems, but I'd rather not put that out
> in the public.
>
>
>

-- 
Gav...

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message