On Wed, 07 Dec 2011 15:02:42 -0500
Przemek Klosowski <przemek.klosowski(a)nist.gov> wrote:
On 12/07/2011 01:25 PM, seth vidal wrote:
> If I were going to use random vm's I'd want to:
> 1. connect using ssh
> 2. push over my own rpm/python/etc binaries
> 3. checksum all the rest of the installed (and running) software
> 4. verify those checksums versus my known good set
> 5. THEN push over the pkgs to be built
I'd say we need to be paranoid on this one and consider a tainted
kernel where your own binaries would report A-OK on a rigged gcc
because kernel has a special case for it. Test builds and QA might be
OK, but nothing that results in shipped bits.
So I have two thoughts on this:
1. scratch or personal chainbuilds could be built in ec2 or rax or
anywhere w/o an issue
2. for our shipping pkgs building them in the existing koji
buildsystems and/or in a dedicated private cloud instance makes sense -
if only for resource allocation and control.
-sv