[squeak-dev] Re: [CI] Security

H. Hirzel hannes.hirzel at gmail.com
Tue Sep 6 09:00:40 UTC 2011


Are there any news about setting up CI?

--Hannes

On 6/24/11, Frank Shearar <frank.shearar at gmail.com> wrote:
> On 24 June 2011 19:50, Yanni Chiu <yanni at rogers.com> wrote:
>> On 24/06/11 8:17 AM, Frank Shearar wrote:
>>>
>>> I suppose we have to ask what we want out of the CI - do we want
>>> pretty web pages with red and blue icons? Would a simple mail on a
>>> breaking build be sufficient for our needs? (Or a mail for a
>>> successful one: noisier, but allows one to distinguish between a
>>> working build and a dead CI server.)
>>
>> People can get an RSS feed for all builds, failed builds, etc.
>>
>>> If that's all that's needed, then I suspect one could do something
>>> like run the Hudson installation on a local port, and have people use
>>> ssh forwarding: ssh -L 8000:foo.bar.com:9090 me at foo.bar.com and then
>>> you can go to http://localhost:8000/.
>>
>> I don't understand why this is needed.
>
> Because then you're relying on ssh keys to authenticate a user, not
> some flakey userland authentication scheme. And because then those
> with shell access can use the web UI without exposing Hudson to
> attack.
>
> Also, because the owner of the server on my jail won't permit an
> exposed Hudson, precisely because of the kinds of things Hudson can
> do.
>
>>> Not undoably bad for the CI admin. If we want to serve up "this is how
>>> things are going" on a web page, I _guess_ we could do that with
>>> Apache RewriteRule-fu. Anyone clued up on that?
>>
>> I don't understand why any web page development is needed. Hudson/Jenkins
>> has a web UI already. Just open up a firewall portno for whichever portno
>> it's listening on.
>
> I'm not talking about web page development. I'm talking about
> selectively exposing read-only status pages.
>
>> However, a nicer configuration would be to set "ci.squeak.org" to redirect
>> to localhost:8080 (or whatever portno it's set to use).
>
> That's not a bad idea!
>
> frank
>
>



More information about the Squeak-dev mailing list