On Tue, Jan 19, 2021 at 02:26:19PM +0100, Paolo Bonzini wrote: > Currently, the website is rebuilt on qemu-project.org using > a separate container (https://github.com/stefanha/qemu-docs/) > cron job hook. We can instead reuse the GitLab's CI artifacts. > > To do so, we use the same mechanism that is already in place for > qemu-web.git. > > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > --- > .gitlab-ci.yml | 23 ++++++++++++++++++++++ > tests/docker/dockerfiles/ubuntu2004.docker | 2 ++ > 2 files changed, 25 insertions(+)
Hmm...the UNIX account on qemu.org is locked down to some extent but I don't feel comfortable with a GitLab CI job sshing into qemu.org. ssh access aside, we are publishing HTML from a shared CI runner to qemu.org. Effectively we are allowing an untrusted machine to publish HTML/JS/CSS on qemu.org. It could steal HTTP Cookies or do other malicious things. That is less of a problem when there is a dedicated subdomain so that the Same Origin policy can provide isolation. Maybe there are more recent web security mechanisms that allow us to define a policy so browsers do not treat qemu.org/docs/* the same as other qemu.org pages? (This wasn't a problem before since the container was running on a dedicated instance under our control.) Stefan
signature.asc
Description: PGP signature
