IRC logs for #buildstream for Monday, 2023-05-15

SamThursfield[m]	hey @abderrahim:gnome.org , updated https://github.com/apache/buildstream/pull/1840 to use Ubuntu 20.04 everywhere, now it requires maintainer approval again for the CI to start	09:32
nanonyme	Sam Thursfield: note there is also 22.04 if you hit issues with 20.04	15:21
nanonyme	juergbi: looks like on IO-starved machine fetching artifacts completely stalls ongoing build	19:38
nanonyme	This seems not optimal. Pulling more artifacts should probably be lower-priority background operation	19:39
nanonyme	juergbi: I think buildbox-casd should potentially run on lower IO and CPU priority	20:04
nanonyme	It competes on system resources with actual builds and it might end up doing quite a lot of work in large projects at the beginning of pipeline	20:24
AdrianVovk[m]	Hello all! What's the recommended way to introduce secrets into buildstream builds? By secrets I mean secure boot signing keys, GPG private keys, etc.	20:57
AdrianVovk[m]	Basically, I plan on having the keys be protected with some sort of hardware module, and otherwise be encrypted/inaccessible at rest. Down the line this could involve some more complicated scheme ensure the keys remain private until it's time to use them for a release. But buildstream does all kinds of things, including copying around files in the event of build failures, caching artifacts, etc. I worry about leaking the secrets.	20:57
AdrianVovk[m]	Something trivial like having the secret around in the sandbox while an element fails will make a copy of the secret in ~/.cache/buildstream, which is worrisome. Something more complicated like sending secrets between build machines and/or caching is even worse.	20:57
AdrianVovk[m]	I understand that the absolute simplest way would be to just do all the signing outside of buildstream. However, that is not very practical. For one, packages like fwupd need to both be signed and put into my rootfs image, so the only way to make that work would be to export the rootfs and then sign+squash outside of buildstream, but then buildstream loses all the permissions/setuid/etc and breaks the system. For two, I do not	20:57
AdrianVovk[m]	want to rely on or even trust the hosts's tooling: I shouldn't be relying on the host to have mksquashfs or sbsign or a new enough systemd for ukify.	20:57
AdrianVovk[m]	Any suggestions?	20:57
*** devcurmudgeon[m] <devcurmudgeon[m]!devcurmudg@2001:470:1af1:104:0:0:0:4be6> has quit IRC		22:17
*** SamThursfield[m] <SamThursfield[m]!ssssammatr@2001:470:1af1:104:0:0:0:220c> has quit IRC		22:17
*** vchernin[m] <vchernin[m]!vcherninfe@2001:470:1af1:104:0:0:0:49f6> has quit IRC		22:18
*** nanonyme <nanonyme!nanonyme@2001:470:1af1:104:0:0:0:45ea> has quit IRC		22:18
*** MatrixTravelerbot[m] <MatrixTravelerbot[m]!voyagert2b@2001:470:1af1:104:0:0:0:2261> has quit IRC		22:18
*** AdrianVovk[m] <AdrianVovk[m]!adrianvovk@2001:470:1af1:104:0:0:0:2e2a> has quit IRC		22:18
*** jjardon[m] <jjardon[m]!jjardonmat@2001:470:1af1:104:0:0:0:224c> has quit IRC		22:18
*** robjh[m] <robjh[m]!~robjhm@2001:470:1af1:104:0:0:0:48ba> has quit IRC		22:18
*** wsalmon[m] <wsalmon[m]!wsalmonmat@2001:470:1af1:104:0:0:0:5c0b> has quit IRC		22:18
*** TheMuso[m] <TheMuso[m]!themuso82m@2001:470:1af1:104:0:0:0:4d68> has quit IRC		22:18
*** WadeBerrier[m] <WadeBerrier[m]!wberrierma@2001:470:1af1:104:0:0:0:492d> has quit IRC		22:18
*** JrgBilleter[m] <JrgBilleter[m]!juergbimat@2001:470:1af1:104:0:0:0:6317> has quit IRC		22:18
*** danigm[m] <danigm[m]!danigmgnom@2001:470:1af1:104:0:0:0:3a57> has quit IRC		22:18
*** doras <doras!doras@2001:470:1af1:104:0:0:0:220b> has quit IRC		22:18
*** abderrahim[m] <abderrahim[m]!abderrahim@2001:470:1af1:104:0:0:0:3558> has quit IRC		22:18
*** JrgBilleter[m] <JrgBilleter[m]!juergbimat@2001:470:1af1:104:0:0:0:6317> has joined #buildstream		22:51
*** devcurmudgeon[m] <devcurmudgeon[m]!devcurmudg@2001:470:1af1:104:0:0:0:4be6> has joined #buildstream		23:17

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!