Re: Moving daily builds out of main debian-cloud-images project

[Bastian Blank <waldi@debian.org>]

Hi Ross

On Wed, Jul 28, 2021 at 10:04:39AM -0700, Ross Vandegrift wrote:
> You think we shouldn't trust the code in debian-cloud-images so readily,
> since a wider group of folks could commit malicious code.  Updating the
> submodule automatically would expose us to the following risk:
> 
> - someone commits malicious code to debian-cloud-images
> 
> - the next nightly pipeline pulls that code without review and runs it
> 
> - that provides access to run code on core machines, and could enable
>   publishing daily builds with malicious contents.

- that provides access to secrets used to upload and manage images at
  vendors.
  
Secrets defined in a project (debian-cloud-images-daily in this case)
are provided to all jobs it runs.  So right now even a package installed
into the image could exfiltrate them, damn.

For AWS those secrets would only provides access to the daily stuff and
we at least have an audit log.  On Azure we can neither differentiate
permissions between daily and release, nor is there a proper audit log.

Bastian

-- 
I'm a soldier, not a diplomat.  I can only tell the truth.
		-- Kirk, "Errand of Mercy", stardate 3198.9