*** SamThursfield[m] <SamThursfield[m]!ssssammatr@2001:470:1af1:104:0:0:0:220c> has joined #buildstream | 00:06 | |
*** nanonyme <nanonyme!nanonyme@2001:470:1af1:104:0:0:0:45ea> has joined #buildstream | 01:08 | |
*** MatrixTravelerbot[m] <MatrixTravelerbot[m]!voyagert2b@2001:470:1af1:104:0:0:0:2261> has joined #buildstream | 01:28 | |
*** AdrianVovk[m] <AdrianVovk[m]!adrianvovk@2001:470:1af1:104:0:0:0:2e2a> has joined #buildstream | 01:41 | |
*** vchernin[m] <vchernin[m]!vcherninfe@2001:470:1af1:104:0:0:0:49f6> has joined #buildstream | 01:43 | |
*** jjardon[m] <jjardon[m]!jjardonmat@2001:470:1af1:104:0:0:0:224c> has joined #buildstream | 01:57 | |
*** TheMuso[m] <TheMuso[m]!themuso82m@2001:470:1af1:104:0:0:0:4d68> has joined #buildstream | 02:08 | |
*** WadeBerrier[m] <WadeBerrier[m]!wberrierma@2001:470:1af1:104:0:0:0:492d> has joined #buildstream | 02:09 | |
*** robjh[m] <robjh[m]!~robjhm@2001:470:1af1:104:0:0:0:48ba> has joined #buildstream | 02:12 | |
*** wsalmon[m] <wsalmon[m]!wsalmonmat@2001:470:1af1:104:0:0:0:5c0b> has joined #buildstream | 02:32 | |
*** doras <doras!doras@2001:470:1af1:104:0:0:0:220b> has joined #buildstream | 02:35 | |
*** danigm[m] <danigm[m]!danigmgnom@2001:470:1af1:104:0:0:0:3a57> has joined #buildstream | 03:55 | |
*** abderrahim[m] <abderrahim[m]!abderrahim@2001:470:1af1:104:0:0:0:3558> has joined #buildstream | 03:58 | |
*** tristan <tristan!tristan@2001:2d8:e3b5:4a14:d3dd:30a5:4ee6:f333> has joined #buildstream | 05:43 | |
*** ChanServ sets mode: +o tristan | 05:43 | |
*** tristan <tristan!tristan@2001:2d8:e3b5:4a14:d3dd:30a5:4ee6:f333> has quit IRC | 06:17 | |
*** tristan <tristan!tristan@2001:2d8:f0a3:9efd:364a:ea04:f15:7ebc> has joined #buildstream | 07:17 | |
*** ChanServ sets mode: +o tristan | 07:17 | |
*** tristan <tristan!tristan@2001:2d8:f0a3:9efd:364a:ea04:f15:7ebc> has quit IRC | 08:10 | |
SamThursfield[m] | Interesting question. I don't think anyone's spent time working on a way to keep secrets inside of build artifacts - as you say, you either have to treat your entire build infrastructure as confidential, or do to sensitive processing outside of BuildStream | 08:47 |
---|---|---|
SamThursfield[m] | *do the sensitive processing | 08:48 |
*** tristan <tristan!tristan@2001:2d8:e4b1:13bb:eabc:886e:abd5:3c9c> has joined #buildstream | 09:16 | |
*** ChanServ sets mode: +o tristan | 09:16 | |
juergbi | nanonyme: Not sure how we can improve this from within BuildStream. If both fetchers and builders are fighting for I/O, maybe it would make sense to add a configuration for the number of total jobs that affects all kinds of jobs and there prefer build jobs over fetch jobs (and push over build) | 09:37 |
juergbi | AdrianVovk[m]: This was actually brought up at the last monthly meeting of the Remote Execution API working group. A proposal might be coming for this | 09:38 |
juergbi | (not particularly aimed at BuildStream but REAPI in general) | 09:39 |
nanonyme | That sounds super-problematic from reproducible builds point of view | 09:39 |
juergbi | It is | 09:39 |
juergbi | The signature can probably be excluded for reproducibility comparison purposes, though | 09:40 |
juergbi | If secrets are used for something else than signatures, it may be a bigger issue | 09:40 |
juergbi | Still potentially problematic even with regards to the buildstream cache key | 09:42 |
juergbi | For reference, here are the meeting notes: https://docs.google.com/document/d/1EtQMTn-7sKFMTxIMlb0oDGpvGCMAuzphVcfx58GWuEM/edit# | 09:43 |
nanonyme | Yeah but by definition adding signing means you can only reproduce build on machine that supports said signing | 09:54 |
nanonyme | juergbi: I would be happier with signing happening through bst shell | 09:57 |
nanonyme | But with remote execution there may be madness of course | 09:57 |
nanonyme | Like so you build signing tools, key, data to be signed into sandbox and output directory into sandbox, sign and have signature file on disk | 09:59 |
nanonyme | But signature file never goes into artifact cache | 09:59 |
*** tristan <tristan!tristan@2001:2d8:e4b1:13bb:eabc:886e:abd5:3c9c> has quit IRC | 10:50 | |
AdrianVovk[m] | <nanonyme> "juergbi: I would be happier with..." <- Hmm that's an idea. I can have an element that signs & packages up everything, but I only execute it through `bst shell`. Into the bst shell I just bind-mount in my secrets from the host filesystem | 13:38 |
nanonyme | Yeah, we have been doing similar stuff earlier for flatpak | 13:42 |
AdrianVovk[m] | And I suppose for things like fwupd I can just edit my image instead of simply using it. I think that should be possible anyway. So like the signing step extracts fwupd and sd-boot out of my squashfs, signs it, and then appends the signed files back into the squashfs | 13:42 |
AdrianVovk[m] | I'll give that a shot and see how it goes. I'll keep an eye out for that REAPI change too. Thanks for the input :) | 13:44 |
nanonyme | Jürg Billeter: is there normally one buildbox-fuse process globally or one per sandbox? | 20:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!