You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Andreas Andreou <an...@apache.org> on 2010/01/25 01:24:36 UTC
publishing artifacts from hudson build node to people.apache.org
Hi,
I'd like to publish a maven generated site from a build node (in our case
vesta.apache.org) to people.apache.org
I see two options to do this:
1) issue mvn deploy
2) use hudson's scp plugin
I'm not comfortable with either solutions because both require me storing my
ssh credentials to the build node.
How are people making this work? Is any apache project using hudson to update
parts of their website?
--
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting
Re: publishing artifacts from hudson build node to people.apache.org
Posted by Aristedes Maniatis <ar...@maniatis.org>.
On 25/01/10 12:47 PM, Gav... wrote:
> What I think might be a better setup, is for projects to be able to deploy
> to a temp staging area on the
> Hudson Master. The Hudson master then has a special acct to be able to sync
> to people. So, one restricted
> specially setup acct from the master rather than many untrusted users from
> many untrusted slaves.
Some special problems this might raise:
* how will the sync script know which group to assign to files pushed in this way?
* this still means that a break-in to Hudson results in the ability to overwrite every web site on the Apache server with arbitrary data: if anything this results in a wider security breach than being able to hack just a single site if separate keys are used.
Ari
--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
RE: publishing artifacts from hudson build node to people.apache.org
Posted by "Gav..." <ga...@16degrees.com.au>.
> -----Original Message-----
> From: Aristedes Maniatis [mailto:ari@maniatis.org]
> Sent: Monday, 25 January 2010 11:34 AM
> To: builds@apache.org
> Subject: Re: publishing artifacts from hudson build node to
> people.apache.org
>
> I raised this on infra a little while ago and there was agreement that
> keeping SSH keys on Hudson is pretty dangerous. At the least, the SSH
> user will need to be able to change your live production web site. So
> any compromise of Hudson servers will by default allow an attacker to
> change Apache web sites which lets them inject malicious keys, code,
> etc.
>
> My way seems safer all around, with the downside is that you have to
> get your timing right and the changes will happen with a bit of a
> delay. But for Javadoc, that didn't seem to be a problem. Don't know
> about your requirements.
I agree. I don't think having slaves and/or committer user accts ssh-ing
directly to people is a good idea.
Slaves should be considered untrusted.
What I think might be a better setup, is for projects to be able to deploy
to a temp staging area on the
Hudson Master. The Hudson master then has a special acct to be able to sync
to people. So, one restricted
specially setup acct from the master rather than many untrusted users from
many untrusted slaves.
Gav...
>
> Ari
>
>
> On 25/01/10 12:14 PM, Andreas Andreou wrote:
> > Thanks... So, you're doing it the other way around... interesting !
> >
> > For the record, i've also found
> > http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly-
> builds-on-apache-hudson.html
> > which basically describes that the struts guys use the 'wesw' account
> > for sshing to people.apache.org
> >
> > On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis<ar...@maniatis.org>
> wrote:
> >> On 25/01/10 11:24 AM, Andreas Andreou wrote:
> >>>
> >>> How are people making this work? Is any apache project using hudson
> to
> >>> update
> >>> parts of their website?
> >>
> >> Yes, I'm pulling Javadocs from Hudson like this:
> >>
> >> http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-
> site/bin/deployJavadoc.sh
> >>
> >>
> >> Ari
> >>
> >> --
> >> -------------------------->
> >> Aristedes Maniatis
> >> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
> >>
> >
> >
> >
>
> --
> -------------------------->
> Aristedes Maniatis
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Re: publishing artifacts from hudson build node to people.apache.org
Posted by Aristedes Maniatis <ar...@maniatis.org>.
I raised this on infra a little while ago and there was agreement that keeping SSH keys on Hudson is pretty dangerous. At the least, the SSH user will need to be able to change your live production web site. So any compromise of Hudson servers will by default allow an attacker to change Apache web sites which lets them inject malicious keys, code, etc.
My way seems safer all around, with the downside is that you have to get your timing right and the changes will happen with a bit of a delay. But for Javadoc, that didn't seem to be a problem. Don't know about your requirements.
Ari
On 25/01/10 12:14 PM, Andreas Andreou wrote:
> Thanks... So, you're doing it the other way around... interesting !
>
> For the record, i've also found
> http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly-builds-on-apache-hudson.html
> which basically describes that the struts guys use the 'wesw' account
> for sshing to people.apache.org
>
> On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis<ar...@maniatis.org> wrote:
>> On 25/01/10 11:24 AM, Andreas Andreou wrote:
>>>
>>> How are people making this work? Is any apache project using hudson to
>>> update
>>> parts of their website?
>>
>> Yes, I'm pulling Javadocs from Hudson like this:
>>
>> http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-site/bin/deployJavadoc.sh
>>
>>
>> Ari
>>
>> --
>> -------------------------->
>> Aristedes Maniatis
>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
>>
>
>
>
--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Re: publishing artifacts from hudson build node to people.apache.org
Posted by Andreas Andreou <an...@apache.org>.
Thanks... So, you're doing it the other way around... interesting !
For the record, i've also found
http://struts.apache.org/2.1.8.1/docs/apache-struts-pseudo-nightly-builds-on-apache-hudson.html
which basically describes that the struts guys use the 'wesw' account
for sshing to people.apache.org
On Mon, Jan 25, 2010 at 02:56, Aristedes Maniatis <ar...@maniatis.org> wrote:
> On 25/01/10 11:24 AM, Andreas Andreou wrote:
>>
>> How are people making this work? Is any apache project using hudson to
>> update
>> parts of their website?
>
> Yes, I'm pulling Javadocs from Hudson like this:
>
> http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-site/bin/deployJavadoc.sh
>
>
> Ari
>
> --
> -------------------------->
> Aristedes Maniatis
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
>
--
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting
Re: publishing artifacts from hudson build node to people.apache.org
Posted by Aristedes Maniatis <ar...@maniatis.org>.
On 25/01/10 11:24 AM, Andreas Andreou wrote:
> How are people making this work? Is any apache project using hudson to update
> parts of their website?
Yes, I'm pulling Javadocs from Hudson like this:
http://svn.apache.org/repos/asf/cayenne/site/trunk/tlp-site/bin/deployJavadoc.sh
Ari
--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A