Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:65651
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64357 invoked from network); 4 Feb 2013 21:13:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2013 21:13:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 config.schlueters.de  
Received: from [217.114.211.66] ([217.114.211.66:57568] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/00-63819-56420115 for <internals@lists.php.net>; Mon, 04 Feb 2013 16:13:09 -0500
Received: from [192.168.2.20] (ppp-188-174-32-207.dynamic.mnet-online.de [188.174.32.207])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id 7AB2D653B8;
	Mon,  4 Feb 2013 22:13:04 +0100 (CET)
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Florian Anderiasch <florian@anderiasch.de>, Pierre Joye
 <pierre.php@gmail.com>, jenkins <jenkins@ci.qa.php.net>, PHP Internals
 <internals@lists.php.net>
In-Reply-To: <CAH-PCH4GYAkuuY7U_GfFnshn1t_cxkECk1qwVx2ukG4CJc5z7A@mail.gmail.com>
References: <cvs-account-2697@php.net>
	 <CAH-PCH6mru=Yyt57Hp6f0TqAQmxMO5y-7pLVPyCzigJQbybfGQ@mail.gmail.com>
	 <CAEZPtU7UjkwZoWDwkqBL+4zG9dyJsRaMGc9mt+1VjiW4djEKuw@mail.gmail.com>
	 <CAH-PCH6sSU06-xd_PtcmhOpjS1V53CxtmXMT5V7L+nWB577gCA@mail.gmail.com>
	 <510FF357.5050807@anderiasch.de>
	 <CAH-PCH5_zJkvfK3o4rjxP8hB7FHGW9ymp+4-KTVeSmFGQoRtkg@mail.gmail.com>
	 <1360001258.1856.24053.camel@guybrush>
	 <CAH-PCH4GYAkuuY7U_GfFnshn1t_cxkECk1qwVx2ukG4CJc5z7A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 04 Feb 2013 22:13:57 +0100
Message-ID: <1360012437.1856.24616.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] VCS Account Request: jenkins
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Mon, 2013-02-04 at 19:13 +0100, Ferenc Kovacs wrote:
> yeah, that would work also, but it has some of the concerns that were
> mentioned about the git push way:
> if you somehow compromise the jenkins box, you can get rouge commits to the
> jenkins git.php.net repo.
> as I mentioned, I think I will use some 3rd party repo(github probably) for
> the configs and manually merge stuff to the web/jenkins repo on
> git.php.netonce in a while.

Well, when having the git server pulling: what could happen? - An
attacker might write new revision of config files. It can't do forced
pushes or such to hide his traces, the attacker can't abuse the account
for other things like deleting notes oder manipulating bug reports.

But then again: I have no idea about the nature of config files :-)

johannes