Thanks for the info, Dan! Assuming we went this route, what do we use to manage private production configurations? Is there a project that would be a good template I could check out? I would ignorantly guess that we probably have at least a couple ultra secure machines somewhere and am trying to come up to speed with how these are versioned and maintained, and the general infrastructure available.
--stephen On Wed, Aug 12, 2015 at 6:32 PM, Dan Duvall <[email protected]> wrote: > On Wed, Aug 12, 2015 at 4:05 PM, Stephen Niedzielski < > [email protected]> wrote: > >> Assuming a better solution does not exist, I _think_ what I'm >> ultimately asking for is a Zuul managed / JJB maintained private Jenkins >> instance only accessible over SSH, if that makes sense. Is there anything >> like that? There must be other teams in the foundation that need a secure >> release job and we could either leverage their solution or they ours. >> > > There's a fundamental problem with signing on a Jenkins slave, private or > shared, in that it will trust and execute anything the master gives it. > It's also possible that the master (and other slaves by extension) is > vulnerable to slave response forgery as well.[1] > > I think to do automated signing right, we'd want to start with a dedicated > production host that independently polls/listens for CR events and executes > only tightly reviewed jobs that are outside the realm of our CI > Zuul/Jenkins altogether. Whether this would be a another, completely > private, Jenkins /cluster/ or something lighter, I'm not sure. > > [1] > https://groups.google.com/d/topic/jenkinsci-users/W5dKc06l1qs/discussion > > -- > Dan Duvall > Automation Engineer > Wikimedia Foundation <http://wikimediafoundation.org> > > -- > You received this message because you are subscribed to the Google Groups > "android" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com > <https://groups.google.com/a/wikimedia.org/d/msgid/android/CACu0jZ5L9qAyH%3D4tOFu_k36omByAjcVBJ6OgFENn2-pu649BiQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . >
_______________________________________________ QA mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/qa
