On 11/07/2013 12:37 AM, Andreas K. Huettel wrote: > Am Donnerstag, 7. November 2013, 00:18:19 schrieb Denis M.: >> Hello gentoo-dev@, >> >> Starting with a little intro, I'm currently providing a Gentoo VM to a >> gentoo dev (Agostino Sarubbo (ago)) for the purpose of >> testing/stabilizing/keywording packages, which is part of his task as a >> developer and being part of the AT team. I've been running the VM for >> him for a couple of months now and AFAIK he's been giving it a great use >> ;-). >> >> The main idea here is to allow Gentoo contributors and members (not >> necessary) of the Gentoo community, to be able to support the developer >> team providing their spare system resources, by, for example, running a >> Virtual Machine (or any sort of xen, kvm, virtualbox, vmware, >> whatever...) instance where the devs can run tasks they'd normally >> wouldn't be able to run with their systems, because: >> > ... > > I appreciate the idea, but security-wise it's pretty dangerous - given that > you as a Gentoo dev are doing sensitive work that may affect many people on a > machine not controlled by you yourself nor Gentoo Infra.
I completely agree with this, but it's not entirely true. Why? I'll give the example of the AT team: 1. You sync the tree before you start your work (that way you verify the tree is clean). 2. Then you start testing the packages or bugs you're after, which in matter of security is meaningless because testing packages is usually just compiling and running to see if it works as expected. 2.1. Apply random patches to fix if there's an issue. 2.2. goto 2. 3. etc... I see no issue in this in matter of security. Another example would be devs testing packages under development (internal usage in gentoo), for example how new versions of openrc/systemd/glibc/whatever can affect X. I do understand your concern, although I wouldn't call you paranoid as it's just normal to not trust a system that's not completely under your control, but as I said, you don't really... 'care' about it/that. > > Call me paranoid, but please no. And in absolutely no case one should commit > to the tree from such a machine, even with stuff like agent forwarding. > Of course! Commiting or any other form of direct communication with the gentoo infra. (either commit to tree or `git push`-ing to any of the other gentoo repos) would be highly discouraged, and I didn't, in any moment, think someone would think of doing that :P. The idea behind this is using the provided instance only and exclusively for testing something you'd normally can't do on your system. Regards, Denis M.
signature.asc
Description: OpenPGP digital signature
