[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PPAs for Debian

Marc 'HE' Brockschmidt, 2011-05-04 10:42:31 +0200 :

> Heya,
>
> Roland Mas <lolando@debian.org> writes:
>> Mike Hommey, 2011-05-04 07:57:47 +0200:
>>> Add to that that allowing random people to upload packages to be built
>>> on Debian build daemons is a recipe to have the buildds compromised.
>>   My initial idea about how one would go about implementing them
>> involved very strict isolation of the builds (either with LXC or a more
>> heavy-handed virtualisation system).  Not going to be very efficient in
>> the slow path, but the scope of a compromise would be a temporary
>> environment that's going to be thrown away in a minute or so and never
>> reused.
>
> If anyone would have actually read the PPA proposal, they would know
> that uploads were and are intended to be restricted to DDs and DMs
> (which can break buildds anyway, if they want) and building should
> happen in throw-away chroots (not for security, but "don't mess with my
> system" reasons).

  Oh, we're in full agreement, no question about that :-) I'm sorry I
didn't read the proposal, I was only trying to debunk a misapprehension
(and, possibly, nudge implementers into a way that would be helpful in a
more general case than the Debian PPA, such as… other users of
FusionForge, for instance.  My view is that PPAs should be handled as a
particular case of a more general architecture for continuous
integration (or autobuilding) in the forge.  My point of view is biased,
but I'm pretty sure we could find other use cases for builds *besides*
packages.  Customized CD images, possibly, or datasets or tdebs or
whatnot.

Roland.
-- 
Roland Mas

Sauvez un arbre, tuez un castor.
Reply to: