Hacker News new | ask | show | jobs
by druiid 4360 days ago
The idea of these hosted deployment systems always scares me. Essentially you have no choice but to open SSH to the universe. This is far beyond best practices for at least a couple reason. The first would be that if at all possible you should be hiding SSH behind a VPN so that casual or not so casual attempts at breaking in to the server are made that much more difficult (this makes even people somehow getting a stolen private key a non-issue). The second would be that giving an 'unknown' third-party this kind of access to your systems leaves you open to them being exploited and then exploiting you (and this scenario seems much more likely than someone guessing your password if you are using one on SSH for some reason).

All in all, deployment seems like something to me which I'd always want to keep in-house.
3 comments
benatkin 4360 days ago
I'm comfortable with having a company I trust enough handling deployment. In order to trust them I have to see them do difficult things well and it probably needs to be more than just a couple people. A small deployment service like this will probably remain in the area where I don't know enough about them to trust them. This is why I turn to Continuous Integration tools (CircleCI) or Project Hosts (Beanstalk, Springloops) for deployment. By observing them doing complicated things I get the feeling that they know what they're doing. Perhaps OP should think bigger.
link
bradhe 4360 days ago
But those complicated things (CI) are fairly different than managing deployments securely...
link
druiid 4360 days ago
I personally wouldn't trust CircleCI to do this stuff either. They already don't exactly have a great track record for security.
link
benatkin 4360 days ago
Upon thinking about it, I agree. I don't want CircleCI to have the SSH key.

I think webhooks are a good model. At worst it could deploy at the wrong time (which would be pretty bad).

link
tdumitrescu 4360 days ago
Would be a nice tool if you could host it yourself though.
link
wereHamster 4360 days ago
I was recently facing the decision whether to deploy from codeship.io directly or not. In the end it turned out not possible due to technical reasons. So I repurposed my old CI server and turned it into a 'continuous deployment' server which integrates well into github. You can easily run it on your own system, it's just one (almost static) binary. https://caurea.org/2014/07/01/mudbath-is-now-a-continuous-de...
link
dubcanada 4360 days ago
the service I use gives me a list of 2 IPs which I add to my Firewall.

It isn't exactly open to the world.

link