The costs of continuous integration

Posted Mar 5, 2020 7:13 UTC (Thu) by marcH (subscriber, #57642)
Parent article: The costs of continuous integration

> The lack of any oversight of what gets run in the CI system and which projects are responsible for it is part of the problem, Airlie said. "You can't have a system in place that lets CI users burn [large] sums of money without authorisation, and that is what we have now."

From a security perspective, the ability for basically anyone to run arbitrary code at ease never ceases to amaze me. I know: containers etc. but still.

The costs of continuous integration

Posted Mar 5, 2020 10:43 UTC (Thu) by pkern (subscriber, #32883) [Link] (2 responses)

I would argue that as long as no artefacts are copied off those machines and reused for anything but testing on another test machine, you can treat those machines as entirely untrusted. Of course that also means that those machines must not have any privileged access. With containers and VMs you can at least isolate the slightly more privileged runner from the actual test workload.

The costs of continuous integration

Posted Mar 5, 2020 17:48 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (1 responses)

Unfortunately, you can't "just" treat a machine as untrusted and think your job is done. Black hats will use it for DoS attacks against third parties, to mine whatever cryptocurrency is popular, and in various other nefarious ways that don't require trust.

The costs of continuous integration

Posted Mar 6, 2020 7:16 UTC (Fri) by pkern (subscriber, #32883) [Link]

Sure, but you can monitor for that. Whatever public infrastructure you offer will eventually be abused. That might even be true of any private infrastructure. ;-) At the same time people will only care about that if there are actual costs they see.

The costs of continuous integration

Posted Mar 5, 2020 11:52 UTC (Thu) by blackwood (guest, #44174) [Link]

It's not containers (we have zero illusions they're going to hold an attacker up), it's cheap throwaway machines that do nothing else than run CI jobs. You bomb one, we reinstall it. There's some cross-project credentials you might be able to sneak from other jobs, stuff like "I've rebuilt, need to kick of the next project in the depedency chain to do it's rebuilding". But given that all the code is open anyway the amount of damage you can inflict by taking over CI runners is really minimal. Breaking into the main servers is a different thing entirely.