On Mon, 1 Jul 2013 23:53:30 -0400
seth vidal <skvidal(a)fedoraproject.org> wrote:
Actually I mean on the private cloud security groups level.
Iptables on the builder would be meaningless - anyone who can install
a package into the chroot is effectively root. rpm pkgs are installed
as root and any root user can walk out of a chroot - counting on
iptables on the buildsystem is unsafe - we'd need to do it with
security groups in the cloud system.
I wanted to add something here - we can easily restrict external access
from these boxes to port 80 or 443 on any system anywhere, and nothing
else.
I don't think that's an unreasonable limitation on users and it does
help prevent someone from leaping off overly much from one of those
systems.
-sv