On Tue, Jan 19, 2021 at 02:56:22PM +0000, Stefan Hajnoczi wrote: > On Tue, Jan 19, 2021 at 02:26:19PM +0100, Paolo Bonzini wrote: > > Currently, the website is rebuilt on qemu-project.org using > > a separate container (https://github.com/stefanha/qemu-docs/) > > cron job hook. We can instead reuse the GitLab's CI artifacts. > > > > To do so, we use the same mechanism that is already in place for > > qemu-web.git. > > > > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > > --- > > .gitlab-ci.yml | 23 ++++++++++++++++++++++ > > tests/docker/dockerfiles/ubuntu2004.docker | 2 ++ > > 2 files changed, 25 insertions(+) > > Hmm...the UNIX account on qemu.org is locked down to some extent but I > don't feel comfortable with a GitLab CI job sshing into qemu.org. > > ssh access aside, we are publishing HTML from a shared CI runner to > qemu.org. Effectively we are allowing an untrusted machine to publish > HTML/JS/CSS on qemu.org. It could steal HTTP Cookies or do other > malicious things. That is less of a problem when there is a dedicated > subdomain so that the Same Origin policy can provide isolation. Maybe > there are more recent web security mechanisms that allow us to define a > policy so browsers do not treat qemu.org/docs/* the same as other > qemu.org pages?
The "easy" option is to just stop using qemu.org/docs and instad hav docs.qemu.org and make it a cname for qemu-project.gitlab.io. Then gitlab can be serving the docs directly. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
