Re: Moving daily builds out of main debian-cloud-images project
Hi Bastian,
On Wed, Jul 28, 2021 at 10:24:46AM +0200, Bastian Blank wrote:
> On Mon, Jul 26, 2021 at 09:54:23PM -0700, Ross Vandegrift wrote:
> > The second disadvantage recently came up in [1]. I proposed a possible fix for
> > discussion at [2]. Bastian thought the discussion needed to happen on the ML,
> > not salsa. So here we are!
>
> My largest problem with that change is that it removes
> | - Access credentials for vendor and Debian infrastructure only exist in
> | the new group, so accidently leaking them is way harder.
That doesn't seem right - the MR doesn't affect credential storage or
team membership.
> So we would need to again completely trust anyone on the normal cloud
> team group.
>
> There is no real way around either options, you either
> - need to trust everyone with write access to the code (and this trust
> was dented lately, after the person in question not even answered on
> my question why he thought this would be appropriate) or
> - "manually" move the changes forward.
This is a different worry, I think I understand. Let me repeat to
check.
You think we shouldn't trust the code in debian-cloud-images so readily,
since a wider group of folks could commit malicious code. Updating the
submodule automatically would expose us to the following risk:
- someone commits malicious code to debian-cloud-images
- the next nightly pipeline pulls that code without review and runs it
- that provides access to run code on core machines, and could enable
publishing daily builds with malicious contents.
Am I understanding?
Ross
Reply to: