blob: 47b7c85ee09898ca056eabcc93c7d438f8082d56 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
- bbot security considerations [idea]
* Probably the only way to build and more importantly run tests for untrusted
packages is in a throw-away virtual machine. I.e., clone the VM, build a
package (or a group of packages from the same group/vendor), and then throw
it away.
Immediate questions are how to extract the result and allow downloading of
dependent packages (if the network is locked down). We could probably mount
the image and copy the result out manually; a bit hairy but secure.
Will also probably have to limit the VM's execution time.
We could try to run VM on a ramdisk to minimize SSD wear. Or use ZFS (COW).
|
