www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <j...@apache.org>
Subject Re: Discussion on enabling users to specify own machines as dynamic hosts
Date Wed, 16 Apr 2014 20:57:37 GMT
On 16 April 2014 22:45, Alex Harui <aharui@adobe.com> wrote:

>
>
> On 4/16/14 1:08 PM, "jan i" <jani@apache.org> wrote:
> >
> >And from a PMC perspective I would worry about a build in a non-controlled
> >enviroment.
> Is an Azure VM considered "non-controlled"?  I get that my personal
> computer which I use for browsing the internet and reading email is prone
> to attack, but if an Azure VM is only running CI, isn't that safe enough
> for nightly builds which are not an official release?
>
> >
> >There is a big difference between developer builds which can happen
> >everywhere (I also build on my own machine), and builds that are sent to
> >tester or maybe even voted on.
> Are we allowed to vote on bits built by a CI server?
>

I have raised this question a couple of times, and the answers have been
consistent:

As a PMC you need to get the source and build it, in order to validate it,
but builds from trusted buildbots can be used for validation. And just at
apacheCon denver one discussion concluded that build machines where we
(asf) do not know whats installed cannot be seen as secure.

Personally I think the ASF policies on this point need a little clearer
text.

rgds
jan I.


>
> Thanks,
> -Alex
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message