is drone.io even remotely secure?

[bobveznat]

The security of this project is paramount and having an untrusted build service acting as a blackbox building the project is potentially dangerous. This issue is to track performing a soft audit of drone.io via whatever documentation they will provide or finding a different service altogether.

[benbridts]

Late to the party, but you can build this yourself (https://github.com/cloudtools/ssh-cert-authority/blob/master/BUILDING.rst) if you have strict requirements about external services.

[bobveznat]

The answer to this ended up being "I don't know." The people at drone.io never responded to my emails asking for commentary and they have zero documentation posted pertaining to the security of their service.

We do build this ourselves. And for whatever its worth, if you trust me at all, I sign every commit to the tree. So you can verify the signatures of every commit if you wanted to verify that you have the real source code.

I sign with key id F2421964 which is also visible here https://keybase.io/bobvanzant