diff options
Diffstat (limited to 'zarb-ml/mageia-dev/20100927/000295.html')
| -rw-r--r-- | zarb-ml/mageia-dev/20100927/000295.html | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/20100927/000295.html b/zarb-ml/mageia-dev/20100927/000295.html new file mode 100644 index 000000000..6a6f5ac3f --- /dev/null +++ b/zarb-ml/mageia-dev/20100927/000295.html @@ -0,0 +1,107 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Will this work for a build system? + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3CAANLkTikjmMcDvmtwAZ_Qw3Q%2BWj5B%3Dg8F5sL9RiPnCGa5%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000292.html"> + <LINK REL="Next" HREF="000296.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Will this work for a build system?</H1> + <B>Giuseppe Ghibò</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Will%20this%20work%20for%20a%20build%20system%3F&In-Reply-To=%3CAANLkTikjmMcDvmtwAZ_Qw3Q%2BWj5B%3Dg8F5sL9RiPnCGa5%40mail.gmail.com%3E" + TITLE="[Mageia-dev] Will this work for a build system?">ghibomgx at gmail.com + </A><BR> + <I>Mon Sep 27 11:51:19 CEST 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000292.html">[Mageia-dev] Will this work for a build system? +</A></li> + <LI>Next message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system? +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#295">[ date ]</a> + <a href="thread.html#295">[ thread ]</a> + <a href="subject.html#295">[ subject ]</a> + <a href="author.html#295">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>2010/9/27 Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">misc at zarb.org</A>> + +><i> Le lundi 27 septembre 2010 à 03:19 +0200, vfmBOFH a écrit : +</I>><i> > What about virtualization? +</I>><i> > +</I>><i> > Maybe we could set-up some kind of cluster of remote and dedicated +</I>><i> > vm's as a +</I>><i> > unique build system. Could be a good workaround over security and +</I>><i> > integrity issues, 'cause we are using a "single" build system. +</I>><i> +</I>><i> Well, how do you garantee that the person who have physical access do +</I>><i> not mess with the vm image ? +</I>><i> +</I>><i> Look at libvirt developers blog ( <A HREF="http://rwmj.wordpress.com/">http://rwmj.wordpress.com/</A> ) to see +</I>><i> how easy it can be to externally mess with a virtual instance if you are +</I>><i> root on the host computer. +</I>><i> -- +</I>><i> Michael Scherer +</I>><i> +</I>><i> +</I>The only way of doing this is NOT letting anyone packaging or uploading a +tarball. Just have two different building system. One "secure" and the other +of contributors (not unsecure, but with less checking). The secure one would +download the tarball automatically from the original repositories: + +e.g.: suppose there is a package SPEC file containing: + +Source: <A HREF="http://blabla.com/openssh-5.5-1.tar.xz">http://blabla.com/openssh-5.5-1.tar.xz</A> +Source1: <A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A> + +An automatic system would try to retrieve from the <A HREF="http://blabla.com/">http://blabla.com/</A> site +the packages +<A HREF="http://blabla.com/openssh-5.5-1.tar.xz,">http://blabla.com/openssh-5.5-1.tar.xz,</A> or if not exists +<A HREF="http://blabla.com/openssh-5.5-1.tar.bz2">http://blabla.com/openssh-5.5-1.tar.bz2</A> or +<A HREF="http://blabla.com/openssh-5.5-1.tar.gz">http://blabla.com/openssh-5.5-1.tar.gz</A> or +<A HREF="http://blabla.com/openssh-5.5-1.tar.">http://blabla.com/openssh-5.5-1.tar.</A> Then would retrieve the signature +<A HREF="http://blabla.com/openssh-5.5.1.tar.sig">http://blabla.com/openssh-5.5.1.tar.sig</A> and would check with the one from +the Database of signatures which has been already populated on the secure +system. If the signatures checking would match, then tarball would be +uploaded to the "secure" system svn and used for building instead of the one +from the contributor/package maintainer. + +[Of course the system would fail if the package maintainer has downloaded +the source tarball from the svn and not from a canonical repository, and to +be further secure this system would require also signing of Patches]. + +Bye. +Giuseppe. +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: </pipermail/mageia-dev/attachments/20100927/dc48d94c/attachment.html> +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000292.html">[Mageia-dev] Will this work for a build system? +</A></li> + <LI>Next message: <A HREF="000296.html">[Mageia-dev] Will this work for a build system? +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#295">[ date ]</a> + <a href="thread.html#295">[ thread ]</a> + <a href="subject.html#295">[ subject ]</a> + <a href="author.html#295">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |