[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please try expo.debian.net -- a replacement for mentors.debian.net

Hi Arno,

On Tue, Jul 26, 2011 at 10:34:50PM +0200, Arno Töll wrote:
> On 26.07.2011 22:25, Kilian Krause wrote:
> > I'm not entirely sure if we want to run get-orig-source targets to rebuild
> > ~dfsg tarballs and compare them. 
> I don't think, you really want to consider to run /anything/ which has
> been supplied by a completely untrusted sponsoree. Being it a full or
> partial or just a get-orig-source target run. This is an immediate risk
> for the infrastructure, being it well protected or not for little benefit.

that was pretty much my point. I've currently no idea on how to secure the
setup enough so that we can safely sandbox the get-orig-source call
sufficiently to be terminated unconditionally after a timeout from the
outside and unable to speak to anything except some remote (web) servers and
a local disk cachedir where we'd pull a file from once completed. I bet
however it'd make an interesting SELinux challenge to put such thing
together. ;-)

That's nothing urgent and nothing that we should put efforts into now(TM).

Best regards,

Attachment: signature.asc
Description: Digital signature

Reply to: