Hacker News new | past | comments | ask | show | jobs | submit login

Side topic: probably not a good idea to expose Jenkins externally, especially if you don't keep Jenkins up-to-date all the time (for transmission bt it is up-to-date right now). This Jenkins probably contain the key to the svn server, so if someone finds a hole...



>Side topic: probably not a good idea to expose Jenkins externally

Jenkins (and CI in general) can be a very weak point. This was posted on Hacker News a while back https://github.com/samratashok/ContinuousIntrusion


Very useful demonstration. thanks for sharing.


> Jenkins probably contain the key to the svn server

Why should it? For open-source software build-server can even be ran by a third party.


I am not following your comment here. Most Jenkins setup use global credentials or use the server-side config file like .ssh/config, .gitconfig link.


But ideally there are no credentials because Jenkins doesn't need to push code to the repo (and can clone the pubically available code).


But it might need to push new (binary) updates if the master/deploy branches gets updated or a commit contains a specific tag.

As far as I know, only the binary was updated.

I'd be interested to hear, though, how it got compromised after all.


Yeah, that makes sense. Build servers are one of the weakest links in distributing software. That's why this exists and I'm glad it's making progress:

https://reproducible-builds.org

And even if you sign updates, the key management for doing that is usually centralized, which can be bad:

http://arstechnica.com/security/2016/02/most-software-alread...


I do not think it was the build server, though. According to this analysis[1], the developer used a different key to sign the build (all Mac apps need to be signed or the default behavior is to reject that App. You can permanently disable this behavior in settings, or just for on app by holding control while opening the App, which a lot users who use transmission probably do because not all legitimate Apps are signed). Anyways, since the app was signed by a third party's certificate (which was approved by Apple), chances are only the website was compromised. If the build server had been compromised, the attack would have had access to the developer's certificate and they would most likely have used that.

[1]: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-...


Transmission, as an open source project, should probably evaluate another CI service such as Travis rather than run their own Jenkins services.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: