Re: P2P Packaging/Koji Cloud

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le mercredi 07 décembre 2011 à 10:36 -0500, seth vidal a écrit :

> I've looked into spawning virt instances to do building and it is
> pretty doable. The problem with them being offered by volunteers is
> trust:
> 
> 1. how do we trust the initial installation hasn't been poisoned unless
> we ship all the bits over ourselves.
> 2. how do we trust the in-flight build isn't molested
> 3. how do the people providing the trust insure against
> tainted/dangerous builds doing $bad_things on their systems.
> 
> this is why I concluded that the idea of donated/volunteered VM was not
> going to work - additionally b/c the bandwidth requirements are
> non-trivial for many builds.

Concerning trust, the classic way it has been solved before (by seti…)
is to farm the same build to several independant nodes, cheksum results
and make sure they all agree

Of course that supposes builds are strictly reproductible (centos folks
would love this) and that makes the system a lot less efficient. But
then, trust has a price too


-- 
Nicolas Mailhot

_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud



[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux