Good point, Steve.
On 2020-04-20 5:24 p.m., Steve Grundell
wrote:
Well, thanks to TLS they're effectively already signed, by Github, to prove that only those with commit rights have produced it, and the commit hash in the url means it will only point to that specific version.
Ste gr
On Mon, Apr 20, 2020 at 9:40 PM Christopher Walker <[email protected]> wrote:
Can we digitally sign the solutions registry files so that the client can verify they was created by us?
Christopher_______________________________________________
On Mon, Apr 20, 2020 at 16:37 Gregg Vanderheiden RTF <[email protected]> wrote:
Is Github secure enough that we want production code to be downloading from there?
I guess if the URL for downloading is in the siteconfig - we can easily move it later.
gregg
———————————Professor, University of Maryland, College ParkDirector , Trace R&D Center, UMDCo-Founder Raising the Floor. http://raisingthefloor.orgAnd the Global Public Inclusive Infrastructure (GPII) http://GPII.net
_______________________________________________
On Apr 20, 2020, at 2:09 PM, Joseph Scheuhammer <[email protected]> wrote:
All, but mostly Stepan, Alfredo, and Sergey (dev-ops),
The goal of GPII-4273[i] is to provide a means by which the Morphic
client can fetch its platform's latest solutions registry from github.
In this case "latest" is defined by the version of gpii-universal
running in the cloud.
I've modified the solutions registry datasource (SRDS) subcomponent of
the local flow manager (LFM) to construct an url to github for the
appropriate solutions registry and make a GET request to download it.
An example of such an url is, assuming Morphic is running on Windows:
https://raw.githubusercontent.com/GPII/universal/bd992f03313acd9a35b81f00fc63922540292255/testData/solutions/win32.json5
I have modified the production tests to test the new LFM and its SRDS.
The production tests involve running docker containers built from an
image of gpii-universal that provide the main components of the GPII cloud.
The production tests also run in GCP in dev and stg. Here a
"productiontests" container is run in which the production tests are
executed as a one-shot job.
Given that background: will the security within GCP allow the LFM/SRDS
within the productiontests container to make the outgoing GET request to
github? I suspect not, but I will test with my dev cluster.
i. https://issues.gpii.net/browse/GPII-4273
--
;;;;joseph.
'The only reason for time is so that everything doesn't happen all at once.'
- B. Banzai -
_______________________________________________
Architecture mailing list
[email protected]
https://lists.gpii.net/mailman/listinfo/architecture
Architecture mailing list
[email protected]
https://lists.gpii.net/mailman/listinfo/architecture
Architecture mailing list
[email protected]
https://lists.gpii.net/mailman/listinfo/architecture
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
-- ;;;;joseph.
'The only reason for time is so that everything doesn't happen all at once.'
- B. Banzai -
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
