On 2013-03-09 23:33:47 +0800 (+0800), Thomas Goirand wrote: [...] > I also need to understand how to secure Jenkins. Because > by default, it's impressive how much Jenkins is a security > hole where you can execute any command. I was tempted > to file a bug report against the package because of it. Then > I saw #697617 and #700761, then gave up... :) [...]
Yes, it's a chore to keep up with the security vulnerabilities for Jenkins, particularly if you're following mainline instead of stable since updates become a grab bag of (sometimes unintended) API changes as well as new bugs and regressions. We try to be as proactive as we can, scrape the security index on their wiki and just plain shutdown Jenkins services on our servers until we can validate the security fixes and get them applied in production. It's not for the faint of heart. At this point we're close enough to having Jenkins interactions externally integrated with our other systems that its WebUI isn't much use except for administrative functions. I expect it's not too far in the future that we'll be able to lock it down such that only administrators will have access to that interface. -- { PGP( 48F9961143495829 ); FINGER( fu...@cthulhu.yuggoth.org ); WWW( http://fungi.yuggoth.org/ ); IRC( fu...@irc.yuggoth.org#ccl ); WHOIS( STANL3-ARIN ); MUD( kin...@katarsis.mudpy.org:6669 ); } -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130309155027.gg29...@yuggoth.org