Dear DSA and ftp-master, The security team inquired [1] if we, the CI team, could support autopkgtesting of (embargoed) security uploads. We have already discussed some of the requirements (mostly about secrecy), but with my questions [2] about the embargoed queue/archive I want the wrong way, see the reply from the wanna-build team. On 27-03-2019 10:04, Philipp Kern wrote: > On 3/26/2019 10:23 PM, Paul Gevers wrote: >> Kind ping for the question below. > > I am not sure what you are asking. Yes, buildds for security have access > to the embargoed queue and obviously that access cannot reasonably be > shared. Technically I think it's in the purview of ftp-master to approve > new credentials (in this case together with Security team) and for DSA > to provision them. As far as I remember we rely on IP whitelisting today > - at least 99builddsourceslist does not contain logic for passwords > (anymore) and I'm pretty sure DSA autogenerates that list into > ftp-master's apache config. Unfortunately I could not find that > configuration in DSA's Puppet tree (nor on coccia, but this is about > security-master) from a quick glance. I know I have seen it in the past, > but I don't recall where. In any case those two teams are the ones to ask. So, my questions to you are: a) Are you indeed the right people to talk to about getting access to the embargoed queues? b) If the access is indeed set-upped via IP whitelisting, than I have the following concern. We are currently running 12 amd64 workers in the AWS framework. I am typically recreating workers after 60 to 90 days as we are having issues with them after a while. This means they get new IP addresses. Would that be a problem? Soon I hope to also have arm64 workers from another platform available. I expect similar issues there. c) How are the embargoed queue set up? If the CI-infrastructure would get access to it, can it just process this archive like other archives, or would we need to get build artifacts and put them together ourselves? I would expect the former, but just to be sure. Paul [1] off-list, so not archived, but the start of this thread can be found here: https://lists.debian.org/7b7e1e98-0070-1dc9-db5a-e84c273d08bf@debian.org with the reply here: https://lists.debian.org/20181021181734.GF19266@pisco.westfalen.local [2] https://lists.debian.org/418def0d-c6b0-60b9-0dbc-77ecf170dc66@debian.org and the ping here: https://lists.debian.org/026e37da-7243-61c8-fa0a-101b5df95a23@debian.org with the reply here: https://lists.debian.org/32b7119c-27ee-5f11-2fff-05af640ea2fd@philkern.de
Attachment:
signature.asc
Description: OpenPGP digital signature