launchpad-dev team mailing list archive

Thread
Date

Re: Immediate plan for Build Farm generic jobs

To: Julian Edwards <julian.edwards@xxxxxxxxxxxxx>
From: Robert Collins <robertc@xxxxxxxxxxxxxxxxx>
Date: Thu, 19 Nov 2009 14:41:28 +1100
Cc: Andrew Bennetts <andrew@xxxxxxxxxxxxx>, launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4B042CC6.9010306@canonical.com>

(private branches, security)

One way would be:
Give the slaves (outside the chroots/vms) an OAuth key for accessing LP,
and permit OAuth access to private branches.

Given that recipe execution (with arbitrary commands *disabled*) is safe
to run outside the chroot, the combination would seem safe to me.

If we need arbitrary command execution we have move the recipe *build*
step inside the vm/chroot environment, and there we'd want to use URL
aliases + a mirror of the branch made from outside the vm/chroot.

But that (temporary mirroring) is much more CPU work and more complex to
boot.

-Rob

Attachment: signature.asc
Description: This is a digitally signed message part

References

Immediate plan for Build Farm generic jobs
From: Julian Edwards, 2009-11-13
Re: Immediate plan for Build Farm generic jobs
From: Michael Hudson, 2009-11-18
Re: Immediate plan for Build Farm generic jobs
From: Julian Edwards, 2009-11-18
Re: Immediate plan for Build Farm generic jobs
From: Aaron Bentley, 2009-11-18
Re: Immediate plan for Build Farm generic jobs
From: Julian Edwards, 2009-11-18