This bit of CONTINUUM-2599 caught my eye: "Current workaround to get Build Agent's installation is by directly using the Build Agent Web Service."
I was under the impression that while the build agent would accept XML-RPC requests from anyone, it would only send responses back to the master defined in its config file. (See CONTINUUM-2044) Did something change and you are now able to connect directly to the agent and do things/get information without an authorization check? (There is no authentication/authorization on the build agent. (right?)) In addition, a comment on 2044 reminded me that CONTINUUM-2545 added unsecured webdav access to the working copy. Any thoughts on whether build agents should be better secured, and if so how? * http://jira.codehaus.org/browse/CONTINUUM-2599 * http://jira.codehaus.org/browse/CONTINUUM-2044 * http://jira.codehaus.org/browse/CONTINUUM-2545 -- Wendy
