Re: Security releases for ecosystems that use static linking
On Fri, Dec 22, 2023 at 09:54:45AM +0100, Moritz Muehlenhoff wrote:
> One solution which has been discussed in the past is to import a full copy
> of stable towards stable-security at the beginning of each release cycle,
> but that is currently not possible since security-master is a Ganeti VM
> and the disk requirements for a full archive copy would rather require
> a baremetal host.
I don't think we are constrained by disk space here. I understand you
are talking about a full import here, rather than referencing data
elsewhere. We could make disk available for that.
But it'd be nicer if dak could do an overlay pool. I feel like people
might in general want to be able to do that. Replicating projectb onto
the VM would be one option - I think we'd not even need the data pool,
as all checksums are in the files table anyway. If we need to provide
a mirror to the VM, we can do that via NFS.
There's a security question here somewhere about importing untrusted
data from other places, but we are already ultimately trusting
ftp-master so I'm not sure it actually makes a different.
Kind regards
Philipp Kern
Reply to: