> -----Original Message----- > From: Aristedes Maniatis [mailto:a...@maniatis.org] > Sent: Monday, 25 January 2010 11:34 AM > To: builds@apache.org > Subject: Re: publishing artifacts from hudson build node to > people.apache.org > > I raised this on infra a little while ago and there was agreement that > keeping SSH keys on Hudson is pretty dangerous. At the least, the SSH > user will need to be able to change your live production web site. So > any compromise of Hudson servers will by default allow an attacker to > change Apache web sites which lets them inject malicious keys, code, > etc. > > My way seems safer all around, with the downside is that you have to > get your timing right and the changes will happen with a bit of a > delay. But for Javadoc, that didn't seem to be a problem. Don't know > about your requirements.
I agree. I don't think having slaves and/or committer user accts ssh-ing directly to people is a good idea. Slaves should be considered untrusted. What I think might be a better setup, is for projects to be able to deploy to a temp staging area on the Hudson Master. The Hudson master then has a special acct to be able to sync to people. So, one restricted specially setup acct from the master rather than many untrusted users from many untrusted slaves. Gav... > > Ari > > > On 25/01/10 12:14 PM, Andreas Andreou wrote: > > Thanks... So, you're doing it the other way around... interesting ! > > > > For the record, i've also found > > http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly- > builds-on-apache-hudson.html > > which basically describes that the struts guys use the 'wesw' account > > for sshing to people.apache.org > > > > On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis<a...@maniatis.org> > wrote: > >> On 25/01/10 11:24 AM, Andreas Andreou wrote: > >>> > >>> How are people making this work? Is any apache project using hudson > to > >>> update > >>> parts of their website? > >> > >> Yes, I'm pulling Javadocs from Hudson like this: > >> > >> http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp- > site/bin/deployJavadoc.sh > >> > >> > >> Ari > >> > >> -- > >> --------------------------> > >> Aristedes Maniatis > >> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A > >> > > > > > > > > -- > --------------------------> > Aristedes Maniatis > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
