launchpad-dev team mailing list archive

[Aaron Bentley <aaron@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Edwards wrote:
>>    - the issues of accessing private branches from the buildslaves
>>      scares me a bit, I hope we can avoid worrying about that until some
>>      time in 2010.
> 
> Yeah, I had only considered the firewall rules from the slaves.
> Presumably we'll need a buildd-slave SSH key that can access everything?

For trusted machines, we can grant them access to the internal http
hosting that provides access to everything.  This is used by loggerhead,
for example.  The problem is that the build slaves are not trusted
machines-- they run arbitrary code.

Perhaps we can upload the branches to the slaves instead of allowing the
slaves to download them?  That would reduce the scope for mischief to
disclosing the contents of the private branches related to the recipe.

> Hopefully yes.  One thing that we need to make sure of is that *all*
> build jobs must have a determinate build time.

By this, you mean an ETA, or time-to-build?

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksEKwAACgkQ0F+nu1YWqI2VtwCghRhDEqJnQR6Isa1fW6phr7Ch
CkAAniRxP0GnTvZJH/VhwzSOkAIzeKa0
=dsaM
-----END PGP SIGNATURE-----