Re: RE : Gerrit, Git requirements, cooperation with others. was: git dangerous operations on alioth

[Jeremy Stanley <fungi@yuggoth.org>]

On 2013-03-09 23:33:47 +0800 (+0800), Thomas Goirand wrote:
[...]
> I also need to understand how to secure Jenkins. Because
> by default, it's impressive how much Jenkins is a security
> hole where you can execute any command. I was tempted
> to file a bug report against the package because of it. Then
> I saw #697617 and #700761, then gave up... :)
[...]

Yes, it's a chore to keep up with the security vulnerabilities for
Jenkins, particularly if you're following mainline instead of stable
since updates become a grab bag of (sometimes unintended) API
changes as well as new bugs and regressions. We try to be as
proactive as we can, scrape the security index on their wiki and
just plain shutdown Jenkins services on our servers until we can
validate the security fixes and get them applied in production. It's
not for the faint of heart.

At this point we're close enough to having Jenkins interactions
externally integrated with our other systems that its WebUI isn't
much use except for administrative functions. I expect it's not too
far in the future that we'll be able to lock it down such that only
administrators will have access to that interface.
-- 
{ PGP( 48F9961143495829 ); FINGER( fungi@cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi@irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui@katarsis.mudpy.org:6669 ); }