Skip to content

Added a security notice to buildworker.rst #568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Added a security notice to buildworker.rst #568

wants to merge 6 commits into from

Conversation

opensource-assist
Copy link

No description provided.

pablogsal
pablogsal reviewed Jan 29, 2020
View reviewed changes
@zware
Copy link
Member

zware commented Jan 29, 2020

This seems out of place and unnecessary to me.

@opensource-assist
Copy link
Author

opensource-assist commented Jan 29, 2020
edited
Loading

@zware

This seems out of place and unnecessary to me.

What do you mean by out of place?
Anyway, this was indeed necessary to be mentioned, because I was concerned with the security of using third-party buildbots and if they can tamper Python releases.
This seemed important to me.
I originally shared this concern on the buildbots mailing list and got this answer from one of the core developers.

@opensource-assist @pablogsal
Update buildworker.rst
8a20b58 
Co-Authored-By: Pablo Galindo <[email protected]>
@zware
Copy link
Member

zware commented Jan 29, 2020

This page is geared towards buildbot worker operators, not so much general information about the buildbots (there's the buildbots.rst page that's a bit closer to that goal).

As far as "unnecessary", it's fairly clear by looking at the build configurations or logs (which would be a lot more trustworthy than a random note in documentation that frequently drifts out of date, for anyone who is truly concerned about security) that we don't even currently build installers on the buildbots, much less produce release materials.

@opensource-assist
Copy link
Author

opensource-assist commented Jan 29, 2020
edited
Loading

@zware

This page is geared towards buildbot worker operators, not so much general information about the buildbots (there's the buildbots.rst page that's a bit closer to that goal).

I was thinking about that too; but as I was that there was a section on buildworker.rst about security considerations, I just wanted to put it in there.
I also wanted to notify any evil-minded entities about this security precaution when they browse the buildworker.rst page.

As far as "unnecessary", it's fairly clear by looking at the build configurations or logs (which would be a lot more trustworthy than a random note in documentation that frequently drifts out of date, for anyone who is truly concerned about security) that we don't even currently build installers on the buildbots, much less produce release materials.

That's the whole point of documenting something, you wanna make it easier for other people to know about the inner workings of the buildbots. It gives a peace of mind to anybody reading it, if they were concerned.

@willingc
Copy link
Collaborator

Hi @opensource-assist. Thanks for the documentation suggestion. Looking at the suggested text and others' comments I am closing this PR as out of scope for the devguide. Thanks! 🌻

@willingc willingc closed this Oct 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isidentical isidentical isidentical approved these changes

@zware zware Awaiting requested review from zware

@pablogsal pablogsal Awaiting requested review from pablogsal

Assignees
No one assigned
Labels
CLA signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@opensource-assist @zware @willingc @pablogsal @isidentical @the-knights-who-say-ni