launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #30062
[Merge] ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master
Colin Watson has proposed merging ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master.
Commit message:
Add basic documentation of malware scanning for CI builds
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad-buildd/+git/launchpad-buildd/+merge/444168
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master.
diff --git a/debian/changelog b/debian/changelog
index 547f256..905f523 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+launchpad-buildd (234) UNRELEASED; urgency=medium
+
+ * Add basic documentation of malware scanning for CI builds.
+
+ -- Colin Watson <cjwatson@xxxxxxxxxx> Tue, 06 Jun 2023 11:42:23 +0100
+
launchpad-buildd (233) focal; urgency=medium
* Only create /dev/dm-* in LXD containers if they don't already exist
diff --git a/docs/explanation/malware-scanning.rst b/docs/explanation/malware-scanning.rst
new file mode 100644
index 0000000..dfbecdc
--- /dev/null
+++ b/docs/explanation/malware-scanning.rst
@@ -0,0 +1,31 @@
+Malware scanning
+****************
+
+Certain CI builds can be configured with ClamAV integration, so that builds
+have a basic malware scan performed on their output files. This is not yet
+very generalized (it currently only works for builds in the private ``soss``
+distribution), and should not be expected to be robust.
+
+To enable this in a local Launchpad installation, set this in
+``launchpad-lazr.conf`` (or otherwise arrange for ``"scan_malware": true``
+to be included in the arguments dispatched to the builder)::
+
+ [cibuild.soss]
+ scan_malware: True
+
+``database.clamav.net`` rate-limits clients. To avoid this, and generally
+to be good citizens, we maintain a `private mirror
+<https://docs.clamav.net/appendix/CvdPrivateMirror.html>`_ of the ClamAV
+database. This is organized using the `clamav-database-mirror
+<https://charmhub.io/clamav-database-mirror>`_ charm, deployed via the
+`vbuilder
+<https://git.launchpad.net/~launchpad/launchpad-mojo-specs/+git/private/tree/vbuilder?h=vbuilder>`_
+Mojo spec (Canonical-internal); on production, this is exposed to builders
+as ``clamav-database-mirror.lp.internal``. `launchpad-buildd-image-modifier
+<https://git.launchpad.net/charm-launchpad-buildd-image-modifier>`_ is
+configured to pass a suitable local URL on to ``launchpad-buildd``, but you
+can also do this in a local installation by adding something like the
+following to ``/etc/launchpad-buildd/default``::
+
+ [proxy]
+ clamavdatabase = http://clamav-database-mirror.test/
diff --git a/docs/index.rst b/docs/index.rst
index f8ae1de..a80b2b3 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -41,3 +41,4 @@ Explanation
:maxdepth: 1
explanation/deployment
+ explanation/malware-scanning