launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master

To: mp+444168@xxxxxxxxxxxxxxxxxx
From: Colin Watson <mp+444168@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Jun 2023 10:44:19 -0000
Reply-to: mp+444168@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Colin Watson has proposed merging ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master.

Commit message:
Add basic documentation of malware scanning for CI builds

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad-buildd/+git/launchpad-buildd/+merge/444168
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master.

diff --git a/debian/changelog b/debian/changelog
index 547f256..905f523 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+launchpad-buildd (234) UNRELEASED; urgency=medium
+
+  * Add basic documentation of malware scanning for CI builds.
+
+ -- Colin Watson <cjwatson@xxxxxxxxxx>  Tue, 06 Jun 2023 11:42:23 +0100
+
 launchpad-buildd (233) focal; urgency=medium
 
   * Only create /dev/dm-* in LXD containers if they don't already exist
diff --git a/docs/explanation/malware-scanning.rst b/docs/explanation/malware-scanning.rst
new file mode 100644
index 0000000..dfbecdc
--- /dev/null
+++ b/docs/explanation/malware-scanning.rst
@@ -0,0 +1,31 @@
+Malware scanning
+****************
+
+Certain CI builds can be configured with ClamAV integration, so that builds
+have a basic malware scan performed on their output files.  This is not yet
+very generalized (it currently only works for builds in the private ``soss``
+distribution), and should not be expected to be robust.
+
+To enable this in a local Launchpad installation, set this in
+``launchpad-lazr.conf`` (or otherwise arrange for ``"scan_malware": true``
+to be included in the arguments dispatched to the builder)::
+
+    [cibuild.soss]
+    scan_malware: True
+
+``database.clamav.net`` rate-limits clients.  To avoid this, and generally
+to be good citizens, we maintain a `private mirror
+<https://docs.clamav.net/appendix/CvdPrivateMirror.html>`_ of the ClamAV
+database.  This is organized using the `clamav-database-mirror
+<https://charmhub.io/clamav-database-mirror>`_ charm, deployed via the
+`vbuilder
+<https://git.launchpad.net/~launchpad/launchpad-mojo-specs/+git/private/tree/vbuilder?h=vbuilder>`_
+Mojo spec (Canonical-internal); on production, this is exposed to builders
+as ``clamav-database-mirror.lp.internal``.  `launchpad-buildd-image-modifier
+<https://git.launchpad.net/charm-launchpad-buildd-image-modifier>`_ is
+configured to pass a suitable local URL on to ``launchpad-buildd``, but you
+can also do this in a local installation by adding something like the
+following to ``/etc/launchpad-buildd/default``::
+
+    [proxy]
+    clamavdatabase = http://clamav-database-mirror.test/
diff --git a/docs/index.rst b/docs/index.rst
index f8ae1de..a80b2b3 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -41,3 +41,4 @@ Explanation
    :maxdepth: 1
 
    explanation/deployment
+   explanation/malware-scanning