On Thu, Jul 02, 2020 at 12:10:58PM +0200, Björn Persson wrote:
Nicolas Mailhot wrote:
The same process that commits a new state of the changelog file in sources, commits the date that was written in the changelog in a separate key = value file (with the components of the build evr, the last packager id, etc).
Do you mean that the key/value file will be committed to Git from inside Koji? Do the Koji builders have write access to Git?
This is the part that worries me a little about this approach. Builders currently do not have commit access to git and I'm not sure if we want them to considering they have git installed (so they can clone) as well as access to all the packages in dist-git from a networking point of view (again so they can clone). So if we were to give the builders commit access to dist-git, an attacker could easily commit to any other packages, potentially from something as easy as a scratch-build.
rpmautospec relies on git tags to store the build info, could it be considered here? It may make things a little safer as we could then restrict the access of that user/ssh key to only git tags (or do like rpmautospec and query pagure's API to have it create the git tag, thus dropping the need for ssh key).
Pierre