On Thu, Jan 16, 2014 at 09:33:34AM -0800, Kohsuke Kawaguchi wrote:
> On 01/16/2014 06:19 AM, Marius Gedminas wrote:
> >What about packaging? The Debian packages available from upstream start
> >the web server on the public IP right from the post-inst script, before
> >you get a chance to set up an
On 01/16/2014 06:19 AM, Marius Gedminas wrote:
On Wed, Jan 15, 2014 at 06:57:07PM -0800, Kohsuke Kawaguchi wrote:
OK, that's embarassing.
Indeed we haven't figured out how to communicate security problems to
plugin developers. Sometimes it's not obvious who to talk to, and even when
it is obvio
On Wed, Jan 15, 2014 at 06:57:07PM -0800, Kohsuke Kawaguchi wrote:
> OK, that's embarassing.
>
> Indeed we haven't figured out how to communicate security problems to
> plugin developers. Sometimes it's not obvious who to talk to, and even when
> it is obvious, we haven't configured JIRA to let us
OK, that's embarassing.
Indeed we haven't figured out how to communicate security problems to
plugin developers. Sometimes it's not obvious who to talk to, and even when
it is obvious, we haven't configured JIRA to let us grant read access on
issue-by-issue basis.
Issues not getting a timely enou
I've modified the server infrastructure so that the PGP public key is
available at https://jenkins-ci.org/jenkins-ci.org.key. These keys are used
to sign native packages. In the next release I'll update the those package
documentaion to refer to this key location in HTTPS.
Aside from that, regardl
Hi Abhijith,
I think you need to read about chains of trust. Everything that you
suggest below is at best hiding what you are downloading from an
observer. It doesn't stop man in the middle attacks or guarantee that
the contents were not corrupted during transit.
As James suggested all you n
Thanks Tielo. Although I do think downloading sources and inspecting them
would not only be overkill, but also not a foolproof way of ensuring
security. What if the source files are mangled during download?
The only few ways I can think of are
1. to get the binaries and keys/hashes over PGP email
On Sunday, 12 January 2014 22:20:17 UTC, Abhijith Chandrashekar wrote:
>
> > Of course, you'd need a secure way to make sure it's actually his
> signature, but that should be easier than changing the entire distribution
> chain.
>
> That's exactly the problem. Any ideas on how I can do that?
>
>
> Of course, you'd need a secure way to make sure it's actually his
signature, but that should be easier than changing the entire distribution
chain.
That's exactly the problem. Any ideas on how I can do that?
Thanks,
Abhijith
On Sat, Jan 11, 2014 at 1:12 AM, Daniel Beck wrote:
> On 08.01.20
On 08.01.2014, at 23:08, Abhijith Chandrashekar
wrote:
> This raises possibilities of a Man-in-the-middle attack compromising the
> integrity of the repo or the key or both.
The war packages themselves are signed by Kohsuke. You can use the tool
'jarsigner' to verify.
Of course, you'd need a
On 10.01.2014, at 18:11, teilo wrote:
> Have you helped to improve this situation by actually reporting them via the
> proper channels?
Yes. That's why I consider the resolution process to be broken. The "proper
channels" don't work.
The first security issue I reported was SECURITY-35 in emai
>
>
> > an interesting target for attacks
>
> Jenkins security is a joke. You can find security issues without trying,
> even in core. And the process to resolve them seems to be really broken.
>
>
Have you helped to improve this situation by actually reporting them via
the proper channels?
h
On 10.01.2014, at 16:56, Johannes Wienke
wrote:
> an interesting target for attacks
Jenkins security is a joke. You can find security issues without trying, even
in core. And the process to resolve them seems to be really broken.
--
You received this message because you are subscribed to the
Hi,
I'd like to underline this issue. With the increasing use of Jenkins, it
might actually become an interesting target for attacks, as in some
environments the jenkins installation is tighly integrated into the
system infrastructure, e.g. generating binary packages for linux
distributions etc.
Hello all,
I work with a tech company where we're trying to establish a pristine build
environment for all of our products. As part of this, we are looking to
create a Jenkins CI server from scratch using the most secure methods
possible. This would be on an underlying CentOS 6.2 machine. From
15 matches
Mail list logo
