I'm not in favour of publishing artifacts from any Jenkins based systems. There are many ways to bundle artifacts and publish them from an automated system. Why we would use a CI system like Jenkins for this task? Jenkins frequently has security vulnerabilities and is designed to run arbitrary code from the internet. It is a real possibility that an attacker could pivot from any Jenkins based CI system to infect artifacts which would then potentially be pushed to repositories our users would consume. I would consider any system using Jenkins as insecure-by-design, and encourage us to air-gapped any artifact generation (websites, jars, PyPi packages) completely from a system like that.
An alternative I could see is a simple Dockerfile (no Jenkins) that builds all artifacts end-to-end and can be run in an automated account well outside our CI account. On Mon, Dec 17, 2018 at 1:53 PM Qing Lan <lanking...@live.com> wrote: > Dear community, > > Currently me and Zach are working on the Automated-publish pipeline on > Jenkins which is a pipeline used to publish Maven packages and pip packages > nightly build. We are trying to use NVIDIA deb which could help us to build > different CUDA/CUDNN versions in the publish system. Sheng has provided a > script here: https://github.com/apache/incubator-mxnet/pull/13646. This > provide a very concrete and automatic solution from downloading to > installing on the system. The only scenario we are facing is: It seemed > NVIDIA has a restriction on distributing CUDA. We are not sure if it is > legally-safe for us to use this in public. > > We would be grateful if somebody has a better context on it and help us > out! > > Thanks, > Qing >
