oss-sec mailing list archives
Re: Travis CI MITM RCE
From: Jeremy Stanley <fungi () yuggoth org>
Date: Sun, 26 Aug 2018 14:54:06 +0000
On 2018-08-25 20:56:59 -0400 (-0400), Phil Pennock wrote:
On 2018-08-25 at 23:49 +0200, Jakub Wilk wrote:The new code looks like this: apt-key list | awk -F'[ /]+' '/expired:/{printf "apt-key adv --recv-keys --keyserver keys.gnupg.net %s\\n", $3}' | sudo sh...$ apt-key list | grep -A1 -w A15703C6 pub 4096R/A15703C6 2016-01-11 [expires: 2020-01-05] uid MongoDB 3.4 Release Signing Key <packaging () mongodb com>
[...]
If you're building infrastructure which needs to get data from off-site, then consider whether or not you can provide template directives which people can include in their command lists, and you then populate the template with the correct current commands for that directive. Eg, if I'm talking to Docker inside Circle CI, I don't set a bunch of variables myself, I just say `setup_remote_docker` and let Circle CI figure out which commands should be run. For "everything is a shell command" setup, then perhaps `$CICMD_APT_KEYS_UPDATE` could be made available. Or `"${CICMD_APT_KEYS_UPDATE[@]}"` if even more constrained.
Indeed, as someone who helps design and run very large CI systems, I can say with certainty that every extra request you make in your jobs to retrieve something over a network connection is one more false negative failure waiting to happen. The Internet is _not_ reliable, and it becomes obvious when you start looking at connection failures and random API errors at scale from lots of different places on the planet. If there's basically static data that your job needs (especially public keys/certs) just bake it directly into the job itself, and for things that change more often than that cache as much of it as you can local to (or even directly on the filesystems of) the systems which run those jobs. Unfortunately a lot of this sort of silliness comes about because people write CI jobs by translating their own developer environment configuration documentation or user guides into scripts and don't think about (or perhaps don't even understand in many cases) how technologies like OpenPGP work. -- Jeremy Stanley
Attachment:
signature.asc
Description:
Current thread:
- Travis CI MITM RCE Jakub Wilk (Aug 25)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)
- Re: Travis CI MITM RCE Jeremy Stanley (Aug 26)
- Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 28)
- Re: Travis CI MITM RCE zugtprgfwprz (Aug 30)
- Re: Travis CI MITM RCE vines (Aug 31)
- Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
- Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 31)
- Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)