hosted reproducible package building with multiple developers?
James Ralston
qralston+ml.redhat-fedora-devel at andrew.cmu.edu
Wed Dec 8 18:03:13 UTC 2010
Riddle me this.
We want to provide a server for developers within our organization to
build RPM packages for use within our organization.
These are our requirements:
1. The developers must not be able to leverage the package build
process to obtain root access on the server.
2. If a package has a build dependency that is not explicitly
specified, the build must fail.
3. If two developers are building packages simultaneously, their
builds must not conflict.
The only way satisfy requirements #2 and #3 is to use a chroot'ed
build environment.
mock(1) uses a chroot'ed build environment, but mock fails requirement
#1, as anyone in the "mock" group can trivially root the box.
I think that koji would satisfy all three requirements, because koji
uses mock to build, but doesn't allow developers to interface with
mock directly. But setting up a koji infrastructure seems like a
highly non-trivial task.
Is there really no way to meet all three of these requirements without
going the full-blown koji route?
More information about the devel
mailing list