IRC logs for #buildstream for Tuesday, 2023-05-16

*** SamThursfield[m] <SamThursfield[m]!ssssammatr@2001:470:1af1:104:0:0:0:220c> has joined #buildstream00:06
*** nanonyme <nanonyme!nanonyme@2001:470:1af1:104:0:0:0:45ea> has joined #buildstream01:08
*** MatrixTravelerbot[m] <MatrixTravelerbot[m]!voyagert2b@2001:470:1af1:104:0:0:0:2261> has joined #buildstream01:28
*** AdrianVovk[m] <AdrianVovk[m]!adrianvovk@2001:470:1af1:104:0:0:0:2e2a> has joined #buildstream01:41
*** vchernin[m] <vchernin[m]!vcherninfe@2001:470:1af1:104:0:0:0:49f6> has joined #buildstream01:43
*** jjardon[m] <jjardon[m]!jjardonmat@2001:470:1af1:104:0:0:0:224c> has joined #buildstream01:57
*** TheMuso[m] <TheMuso[m]!themuso82m@2001:470:1af1:104:0:0:0:4d68> has joined #buildstream02:08
*** WadeBerrier[m] <WadeBerrier[m]!wberrierma@2001:470:1af1:104:0:0:0:492d> has joined #buildstream02:09
*** robjh[m] <robjh[m]!~robjhm@2001:470:1af1:104:0:0:0:48ba> has joined #buildstream02:12
*** wsalmon[m] <wsalmon[m]!wsalmonmat@2001:470:1af1:104:0:0:0:5c0b> has joined #buildstream02:32
*** doras <doras!doras@2001:470:1af1:104:0:0:0:220b> has joined #buildstream02:35
*** danigm[m] <danigm[m]!danigmgnom@2001:470:1af1:104:0:0:0:3a57> has joined #buildstream03:55
*** abderrahim[m] <abderrahim[m]!abderrahim@2001:470:1af1:104:0:0:0:3558> has joined #buildstream03:58
*** tristan <tristan!tristan@2001:2d8:e3b5:4a14:d3dd:30a5:4ee6:f333> has joined #buildstream05:43
*** ChanServ sets mode: +o tristan05:43
*** tristan <tristan!tristan@2001:2d8:e3b5:4a14:d3dd:30a5:4ee6:f333> has quit IRC06:17
*** tristan <tristan!tristan@2001:2d8:f0a3:9efd:364a:ea04:f15:7ebc> has joined #buildstream07:17
*** ChanServ sets mode: +o tristan07:17
*** tristan <tristan!tristan@2001:2d8:f0a3:9efd:364a:ea04:f15:7ebc> has quit IRC08:10
SamThursfield[m]Interesting question. I don't think anyone's spent time working on a way to keep secrets inside of build artifacts - as you say, you either have to treat your entire build infrastructure as confidential, or do to sensitive processing outside of BuildStream08:47
SamThursfield[m]*do the sensitive processing08:48
*** tristan <tristan!tristan@2001:2d8:e4b1:13bb:eabc:886e:abd5:3c9c> has joined #buildstream09:16
*** ChanServ sets mode: +o tristan09:16
juergbinanonyme: Not sure how we can improve this from within BuildStream. If both fetchers and builders are fighting for I/O, maybe it would make sense to add a configuration for the number of total jobs that affects all kinds of jobs and there prefer build jobs over fetch jobs (and push over build)09:37
juergbiAdrianVovk[m]: This was actually brought up at the last monthly meeting of the Remote Execution API working group. A proposal might be coming for this09:38
juergbi(not particularly aimed at BuildStream but REAPI in general)09:39
nanonymeThat sounds super-problematic from reproducible builds point of view09:39
juergbiIt is09:39
juergbiThe signature can probably be excluded for reproducibility comparison purposes, though09:40
juergbiIf secrets are used for something else than signatures, it may be a bigger issue09:40
juergbiStill potentially problematic even with regards to the buildstream cache key09:42
juergbiFor reference, here are the meeting notes: https://docs.google.com/document/d/1EtQMTn-7sKFMTxIMlb0oDGpvGCMAuzphVcfx58GWuEM/edit#09:43
nanonymeYeah but by definition adding signing means you can only reproduce build on machine that supports said signing09:54
nanonymejuergbi: I would be happier with signing happening through bst shell09:57
nanonymeBut with remote execution there may be madness of course09:57
nanonymeLike so you build signing tools, key, data to be signed into sandbox and output directory into sandbox, sign and have signature file on disk09:59
nanonymeBut signature file never goes into artifact cache09:59
*** tristan <tristan!tristan@2001:2d8:e4b1:13bb:eabc:886e:abd5:3c9c> has quit IRC10:50
AdrianVovk[m]<nanonyme> "juergbi: I would be happier with..." <- Hmm that's an idea. I can have an element that signs & packages up everything, but I only execute it through `bst shell`. Into the bst shell I just bind-mount in my secrets from the host filesystem13:38
nanonymeYeah, we have been doing similar stuff earlier for flatpak13:42
AdrianVovk[m]And I suppose for things like fwupd I can just edit my image instead of simply using it. I think that should be possible anyway. So like the signing step extracts fwupd and sd-boot out of my squashfs, signs it, and then appends the signed files back into the squashfs13:42
AdrianVovk[m]I'll give that a shot and see how it goes. I'll keep an eye out for that REAPI change too. Thanks for the input :)13:44
nanonymeJürg Billeter: is there normally one buildbox-fuse process globally or one per sandbox?20:55

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!