Security Issue on Forge
Colin Clark
colinbdclark at gmail.com
Thu Nov 4 10:33:35 UTC 2010
Hi Jamon,
I think many people on the list probably need a bit more detail to properly understand your message. I'll try to clarify.
forge.fluidproject.org is a new server that was set up about a year ago to host the daily build and production instances of the PHP-based Infusion Builder application that we've been working on in fits and starts for the past while. It's completely distinct from our essential daily build infrastructure at build.fluidproject.org.
The Builder's daily build process is quite distinct from the way we build the rest of Fluid's code. I agree that the inclusion of user-visible database usernames and passwords is inappropriate--it's also atypical. Thanks for finding this and working with Cindy to fix it.
Getting this new infrastructure set up in a reliable and secure way is one of our last steps towards introducing the Builder as a standard feature for Infusion users. It'll be exciting to have this all up and running!
Colin
On 2010-11-03, at 11:58 AM, jamonation at gmail.com wrote:
> The new Continuum builder at forge.fluidproject.org is currently running daily builds of the Infusion Builder tool. Part of the Continuum build process passes arguments to Ant, which then substitutes them into the build.xml file, which is used to package and deploy the Infusion builder.
>
> In examining how that build process works, I noticed that the Infusion Builder project page in Continuum had the MySQL user name and password exposed. As far as I can tell, that has been the case since the builder was first setup. I am not sure who oversaw that process.
>
> At the moment all arguments to Ant have been removed so the daily build will fail. I will work with Justin and Cindy, or whomever else needs to be involved to resolve the issue, but the builder must be offline until the issue can be resolved.
>
> In the future, for any new Continuum build or changes to existing ones, please check with either myself or Armin to ensure that vital information is not exposed to the world.
---
Colin Clark
Technical Lead, Fluid Project
http://fluidproject.org
More information about the fluid-work
mailing list