www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joan Touzet <woh...@apache.org>
Subject Re: Can we package release artifacts on builds.a.o?
Date Sat, 08 Dec 2018 18:47:48 GMT
I would like to see support for something like this as well, even if it came down to individual
VMs/donated HW per project, locked down by project - only project X can use build machine

Automated repeatable builds actually *increases* trust vs. who knows what a release manager
has running on their workstation. At this point, I trust Docker builds with published, auditable
cryptographic hashes per layer more than I trust some Apache releases.

I don't actually believe that all projects in the Apache world are actually following the
strict edict of "human must run the build and push any binary release," but I'm not going
to point fingers.

----- Original Message -----
From: "Alex Harui" <aharui@adobe.com.INVALID>
To: builds@apache.org
Sent: Saturday, December 8, 2018 12:43:37 PM
Subject: Re: Can we package release artifacts on builds.a.o?

Gavin, Alan, Karl,

Thanks for the information.

This email implies that there is a Jenkins node that can commit something.  What creds are
used for that?  Is there a buildbot user?

If so, I was imagining the following workflow:

1) Jenkins runs Maven release.  I forgot about the PGP signing part.  If there is no way to
skip it, then can a buildbot "user" PGP sign it?
2) RM downloads the artifacts and verifies them.  The source package has to match the tag
so I think that would detect any injections from other stuff running in Jenkins or elsewhere
on the build server.  There's been a recent discussion on reproducible binaries and if this
workflow is approved I would make our binaries are reproducible, and that should again detect
any injections from the build server.
3) RM adds his/her PGP signature to the artifacts.  Not sure if there is a Maven way to do
4) Voting and other steps follow from there.

These would not be continuously running jobs.  They would have to be kicked off manually so
it shouldn't add significant load, and we would know which commits came from buildbot so we
could detect if anything went funky.


´╗┐On 12/8/18, 7:54 AM, "Gavin McDonald" <ipv6guru@gmail.com> wrote:

    additionally, nobody should have their creds stored anyway other than their
    own machine.
    On Sat, Dec 8, 2018 at 3:49 PM Allen Wittenauer
    <aw@effectivemachines.com.invalid> wrote:
    > > On Dec 7, 2018, at 11:56 PM, Alex Harui <aharui@adobe.com.INVALID>
    > wrote:
    > >
    > >
    > >
    > > On 12/7/18, 10:49 PM, "Allen Wittenauer" <aw@effectivemachines.com.INVALID>
    > wrote:
    > >
    > >
    > >
    > >> On Dec 7, 2018, at 10:22 PM, Alex Harui <aharui@adobe.com.INVALID>
    > wrote:
    > >>
    > >> Maven's release plugins commit and push to Git and upload to
    > repository.a.o.  I saw that some folks have a node that can commit to the
    > a.o website SVN.  Is anyone already doing releases from builds?  What
    > issues are there, if any?
    > >
    > >       It's just flat out not secure enough to do a release on.
    > >
    > > Can you give me an example of how it isn't secure enough?
    >         The primary purpose of these servers is to run untested,
    > unverified code.
    >         Jenkins has some very sharp security corners that makes it
    > trivially un-trustable.  Something easy to understand: when Jenkins is
    > configured to run multiple builds on a node, all builds on that node run in
    > the same user space. Because there is no separation between executors, it's
    > very possible for anyone to execute something that modifies another running
    > build.  For example, probably the biggest bang for the least amount of work
    > would be to replace jars in the shared maven cache.
    >         [... and no, Docker doesn't help.]
    >         There are other, bigger problems, but I'd rather not put that out
    > in the public.

View raw message