[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: autopkgtest for security archive

Dear DSA and ftp-master,

The security team inquired [1] if we, the CI team, could support
autopkgtesting of (embargoed) security uploads. We have already
discussed some of the requirements (mostly about secrecy), but with my
questions [2] about the embargoed queue/archive I want the wrong way,
see the reply from the wanna-build team.

On 27-03-2019 10:04, Philipp Kern wrote:
> On 3/26/2019 10:23 PM, Paul Gevers wrote:
>> Kind ping for the question below.
> I am not sure what you are asking. Yes, buildds for security have access
> to the embargoed queue and obviously that access cannot reasonably be
> shared. Technically I think it's in the purview of ftp-master to approve
> new credentials (in this case together with Security team) and for DSA
> to provision them. As far as I remember we rely on IP whitelisting today
> - at least 99builddsourceslist does not contain logic for passwords
> (anymore) and I'm pretty sure DSA autogenerates that list into
> ftp-master's apache config. Unfortunately I could not find that
> configuration in DSA's Puppet tree (nor on coccia, but this is about
> security-master) from a quick glance. I know I have seen it in the past,
> but I don't recall where. In any case those two teams are the ones to ask.

So, my questions to you are:

a) Are you indeed the right people to talk to about getting access to
the embargoed queues?

b) If the access is indeed set-upped via IP whitelisting, than I have
the following concern. We are currently running 12 amd64 workers in the
AWS framework. I am typically recreating workers after 60 to 90 days as
we are having issues with them after a while. This means they get new IP
addresses. Would that be a problem? Soon I hope to also have arm64
workers from another platform available. I expect similar issues there.

c) How are the embargoed queue set up? If the CI-infrastructure would
get access to it, can it just process this archive like other archives,
or would we need to get build artifacts and put them together ourselves?
I would expect the former, but just to be sure.


[1] off-list, so not archived, but the start of this thread can be found
with the reply here:

and the ping here:
with the reply here:

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: