Hi Bastian, On Wed, Jul 28, 2021 at 10:24:46AM +0200, Bastian Blank wrote: > On Mon, Jul 26, 2021 at 09:54:23PM -0700, Ross Vandegrift wrote: > > The second disadvantage recently came up in [1]. I proposed a possible fix > > for > > discussion at [2]. Bastian thought the discussion needed to happen on the > > ML, > > not salsa. So here we are! > > My largest problem with that change is that it removes > | - Access credentials for vendor and Debian infrastructure only exist in > | the new group, so accidently leaking them is way harder.
That doesn't seem right - the MR doesn't affect credential storage or team membership. > So we would need to again completely trust anyone on the normal cloud > team group. > > There is no real way around either options, you either > - need to trust everyone with write access to the code (and this trust > was dented lately, after the person in question not even answered on > my question why he thought this would be appropriate) or > - "manually" move the changes forward. This is a different worry, I think I understand. Let me repeat to check. You think we shouldn't trust the code in debian-cloud-images so readily, since a wider group of folks could commit malicious code. Updating the submodule automatically would expose us to the following risk: - someone commits malicious code to debian-cloud-images - the next nightly pipeline pulls that code without review and runs it - that provides access to run code on core machines, and could enable publishing daily builds with malicious contents. Am I understanding? Ross
