Re: Moving daily builds out of main debian-cloud-images project

[Ross Vandegrift <rvandegrift@debian.org>]

Hi Bastian,

On Wed, Jul 28, 2021 at 10:24:46AM +0200, Bastian Blank wrote:
> On Mon, Jul 26, 2021 at 09:54:23PM -0700, Ross Vandegrift wrote:
> > The second disadvantage recently came up in [1].  I proposed a possible fix for
> > discussion at [2].  Bastian thought the discussion needed to happen on the ML,
> > not salsa.  So here we are!
> 
> My largest problem with that change is that it removes
> | - Access credentials for vendor and Debian infrastructure only exist in
> |   the new group, so accidently leaking them is way harder.

That doesn't seem right - the MR doesn't affect credential storage or
team membership.

> So we would need to again completely trust anyone on the normal cloud
> team group.
> 
> There is no real way around either options, you either
> - need to trust everyone with write access to the code (and this trust
>   was dented lately, after the person in question not even answered on
>   my question why he thought this would be appropriate) or
> - "manually" move the changes forward.

This is a different worry, I think I understand.  Let me repeat to
check.

You think we shouldn't trust the code in debian-cloud-images so readily,
since a wider group of folks could commit malicious code.  Updating the
submodule automatically would expose us to the following risk:

- someone commits malicious code to debian-cloud-images

- the next nightly pipeline pulls that code without review and runs it

- that provides access to run code on core machines, and could enable
  publishing daily builds with malicious contents.

Am I understanding?

Ross