On Mon, Nov 12, 2012 at 12:08:35PM -0500, Seth Vidal wrote:
> >That would be fine, as long as we can be very sure about the access control
> >and chain of identity assurance.
> I don't know how/if we do that _now_.
> I mean - we know who setup the koji builders and where koji lives
> but 'chain of identity assurance'..... That sounds awfully specific
> and legalistic.
> Maybe you can describe what that phrase means to you so I can
> understand that a bit better.
Sure. :)
First, I'll happily assume that people who have a admin access to the
builders are black box of trust -- there's plenty of internal accountability
and logging and whatever.
What I mean is: when I build a package for Fedora, I go through the Koji
build system. I can't just kludge up a binary RPM and have it get sent out
into the mirror. And, anyone can go into Koji and see the packages I've
built -- and see how they were built, if they want. And although the GPG
package signing process is also a black box to some degree, Bodhi gives
pretty good transparency into the path an update takes.
This isn't just good for distribution security, but it's also good for
repeatability, and it's convenient for me as a packager. I want all of that
for the cloud images. Any (technically-minded) end user should be able to
work back from the image checksum to the actual build logs.
> 'known clean'? What kind of clean do you want? If we use a new
> instance to build a new image is that clean enough? I'm certain I
> could do all of it in a single ansible playbook: spin up a new
> instance in euca, attach a set of disks, run ami-creator, retrieve
> the results. It's not very difficult at all, actually.
Yes that kind of clean.
> >For the purposes of Rawhide nightlies (pushed to alt.fedoraproject.org?),
> >I'm perfectly fine with trusting me to do the right thing. :) For the
> >alpha, beta, and final builds, as well as possible mid-release image
> >updates, I'd like access to go through some control system, whatever that
> >might be.
> Let me know what you think the control system requires to be
> considered "safe".
I think:
* all input to the build command should be recorded
- save exact command-line arguments
- either collect the kickstart file provided or require it to be pulled
from a Fedora hosted git repo (and record what was pulled)
* checksums of the output should be generated and recorded
* no opportunity for the person doing the build to write anything into the
build process while it's in progress, and no opportunity to alter the
above records.
does that seem sound? Also build logs should be stored, but that's more for
information, debugging, and convenience than anything else.
If the person doing the build normally has admin access on Fedora build
systems, they shouldn't on this one. Trust but verify and all that.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx>
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
