(Adding dev at .)
Markus Krogh <markus at nordu.net> wrote
Thu, 3 Dec 2015 09:09:25 +0100:
| CI is a hackers best friend, they are often’t unpatched/unmaintained,
| as well as they by default have unsafe configuration. Most CIs will by
| default compile on the same machine as the CI is running, meaning if
| you are compiling code you cannot trust that is a problem, they also
| often have access to internal systems to do redeploys etc. making them
| a juicy target.
Thanks.
(For more context, CI means "continous integration". A CI system is a
(set of) machine(s) continously compiling (and hopefully testing)
software projects, often showing the current status in some web
thing. 15 years ago this was called "nightly builds".)
| If you ask me it is more of a please configure and update your CI rather than a don’t
use CI systems.
I think that binaries built on a machine with any internet facing
services except perhaps sshd should not be deployed. Unless reproducibly
built.
CI systems can of course still be useful for catching
regression. Running tests on a CI system is a good idea.
Show replies by date