On 21/07/2008, at 12:20 PM, Jason van Zyl wrote:
The important thing is that the release process does not use your
credentials for either SVN or SSH when it's not you doing the
release.
I don't think that's important at all, but I can easily fix it.
Do I have to SSH into your account or lock you out of SVN to convince
you it is important? :)
Now I trust all the committers on this project not to do that (and
besides, it would be recorded if they did!), but what happens when
someone finds an exploit in Hudson?
What's important is that the release is is made in a sane way, with
as much constant as possible. Who does the release would be easily
recorded. But I can easily collect credentials so a release manager
can store them for reuse and fully automate the process.
If by collecting you mean storing, then no, that's not a solution to
the problem. I'm certainly not putting my Apache credentials on a
third party CI server that multiple people have access to.
Introducing a clean room for building releases is admirable, but I
believe we need to use our own credentials to do so, and we must
retain full control of them in the process.
Thanks,
Brett
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
