Jarek>What credentials are you talking about? Please report it to security@ then. If it works this way, this is serious security threat IMHO.
On Wed, Dec 30, 2020 at 11:42 AM Vladimir Sitnikov < [email protected]> wrote: > Jarek>What credentials are you talking about? > > For instance, asfNexusUsername/asfNexusPassword (see > https://cwiki.apache.org/confluence/display/INFRA/Gradle+Installations ) > I assume there exists something like git-websites Jenkins node label that > has privileges to update project site ( > https://cwiki.apache.org/confluence/display/INFRA/Jenkins+node+labels ) > > Jarek>Not as long as the build cannot write to the github repository and > modify > Jarek>code. > > ASF Jenknis nodes are stateful, and they do have credentials of some kind. > On top of that, a malicious build script plugin could use developer's > credentials > to make changes to the repositories. > > Vladimir > -- +48 660 796 129
