Riddle me this.
We want to provide a server for developers within our organization to
build RPM packages for use within our organization.
These are our requirements:
1. The developers must not be able to leverage the package build
process to obtain root access on the server.
2. If a package has a build dependency that is not explicitly
specified, the build must fail.
3. If two developers are building packages simultaneously, their
builds must not conflict.
The only way satisfy requirements #2 and #3 is to use a chroot'ed
build environment.
mock(1) uses a chroot'ed build environment, but mock fails requirement
#1, as anyone in the "mock" group can trivially root the box.
I think that koji would satisfy all three requirements, because koji
uses mock to build, but doesn't allow developers to interface with
mock directly. But setting up a koji infrastructure seems like a
highly non-trivial task.
Is there really no way to meet all three of these requirements without
going the full-blown koji route?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
