hosted reproducible package building with multiple developers?
seth vidal
skvidal at fedoraproject.org
Wed Dec 8 18:52:21 UTC 2010
On Wed, 2010-12-08 at 13:50 -0500, James Ralston wrote:
> On 2010-12-08 at 13:07-05 seth vidal <skvidal at fedoraproject.org> wrote:
>
> > the mock chroots that koji uses could still be rooted by someone who
> > can submit their own build-requirement-providing packages.
>
> Well, we vet all packages our developers submit before releasing them
> to our repositories, so we would catch a developer submitting (e.g.) a
> suid-bash-shell-1.0.0-1.el5.x86_64.rpm package.
>
> Does koji provide a mechanism for the submitter to specify his own yum
> repositories for mock to use?
not that I'm aware of - the folks on the buildsys list who maintain koji
may be able to help you more
https://lists.fedoraproject.org/mailman/listinfo/buildsys
> Well, the ultimate protection would be to use this procedure for each
> build:
>
> 1. Instantiate VMs for all architectures specified by the build,
> via cloning "known good" build VMs.
>
> 2. Use koji to build on each VM.
>
> 3. Destroy each VM that was instantiated.
>
> But that's some *serious* overhead. Plus, I'm not sure that we could
> automate steps #1 and #3, which would be a dealbreaker.
sure you can. :)
I'm dabbling in that right at this moment :)
> Honestly, given current trends, it might be that before too much
> longer, the best solution might be to simply give each developer his
> own VM for each OS/architecture he wants to build for, and tell him to
> use mock directly. Before each build, he snapshots the VM, and after
> each build, he reverts to the snapshot (discarding whatever changes
> the build process made to the system)...
perhaps.
-sv
More information about the devel
mailing list