One popular and widely used toolkit for the Continuous Integration (CI) process is called Jenkins. Jenkins can not only rebuild projects after each change, but even automatically approve, sign and deploy newly-built versions into one or more test environments, and even make it flow automatically into your distribution system |
The most recent Jenkins security update, for example (2017-04-10), addressed at least 32 arbitrary remote code execution bugs, both in the software itself and in many of its plugins. Bugs of this sort may sound harmless on the surface, but you can think of these holes as “metacoding” bugs, where a rogue programmer could submit perfectly legitimate code changes that would be passed as improvements, yet could at the same time sneakily subvert the build process itself. That could leave you with official software, built officially from the official source code…but with some unofficial “secret sauce” mixed in. |