On 01/07/2013 05:11 PM, Denis Roy wrote: > I'm not sure I follow your train of thought re: exposing the ssh port to > the world, since build/dev/git.eclipse.org's SSH port already is. My > fear is that, if committer passwords and/or private keys are stored on > anonymously-accessible web applications (such as hudson.eclipse.org) > that information could potentially be obtained by individuals with ill > intent. If the committer account in question has a full shell, that > could mean real trouble for us from a security perspective.
Hi Denis, what about a restricted shell then that is limited to certain commands like git pushing tags and uploading/downloading binary artifacts for signing? In combination with a per-project build/ci-account it would help improve security further. Markus _______________________________________________ cross-project-issues-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
