[Buildbot-devel] Has anyone looked at changing buildbot to use ssh to connect to the slaves?
Douglas Philips
dgou at mac.com
Wed Mar 26 12:54:21 UTC 2008
On 2008 Mar 26, at 7:50 AM, Nathaniel Smith wrote:
> Err, your buildmaster is running commands like "check out code from
> this remote repository that I don't control and then execute that code
> on my machine", right? Unless you want to set up a full-fledged VM,
> running a buildslave and allowing ssh access are pretty much
> equivalent as far as security goes.
Theoretically, I agree.
Practically, the ease of abuse of ssh access and the risk of stolen
keys from a compromised server is higher than the likelihood of a
malicious makefile/source-code hack, IMHO. (crude analogy: I don't
trust a cold-call claiming to be from "my credit card company," but I
do trust that someone hasn't sent me a faux billing statement with a
bogus 800 number.)
> I've actually requested before that the buildmaster *get* interactive
> access to a shell on buildslaves, just because it would save so many
> hours (and hours and hours) of trying to debug build configurations.
I can see the temptation... but... it would be better to have a build
step that 'validates the build environment' than to re-implement
telnet/ssh inside of buildbot. It is not buildbot's core competency
to have unfettered "shell-like" remote access (aren't there already
too many of those kinds of half-maintained tools out there already?).
It would, imho, be a huge distraction and maintenance pita to boot.
--Doug
More information about the devel
mailing list