diff options
Diffstat (limited to 'bbot')
-rw-r--r-- | bbot/security | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/bbot/security b/bbot/security new file mode 100644 index 0000000..47b7c85 --- /dev/null +++ b/bbot/security @@ -0,0 +1,14 @@ +- bbot security considerations [idea] + +* Probably the only way to build and more importantly run tests for untrusted + packages is in a throw-away virtual machine. I.e., clone the VM, build a + package (or a group of packages from the same group/vendor), and then throw + it away. + + Immediate questions are how to extract the result and allow downloading of + dependent packages (if the network is locked down). We could probably mount + the image and copy the result out manually; a bit hairy but secure. + + Will also probably have to limit the VM's execution time. + + We could try to run VM on a ramdisk to minimize SSD wear. Or use ZFS (COW). |