Hi,
On Tue, Jun 07, 2016 at 11:08:47AM +0300, Samuli Seppänen wrote:
> > we can't open this to the world, as the t_client tests need sudo
> > privileges, so anyone who can push a patch to a testing tree can run
> > arbitrary commands on the buildslaves ("just build whatever you want
> > into something called 'openvpn' and run that with sudo from t_client") -
> > so, (semi-)trusted developers only.
>
> This is not entirely true, because the build steps are hardcoded.
Trivial :-) - just add a patch that will
cp evilscript.sh src/openvpn/openvpn
at the end of the build phase.
Then, run "make check", and t_client.sh will happily execute
sudo src/openvpn/openvpn $options
which now runs "evilscript.sh" with full root access...
> However, I would definitely not open this to the world, because there is
> plenty of room for misuse, and Buildbot might have security issues which
> could be exploited.
Ideed :-)
[..]
> It seems that a summary of how Vagrant operates is in order here.
>
> Vagrant uses pre-built images as a starting point. These images do not
> (and should not) be built by OpenVPN developers. The only things _we_
> have to maintain are the Vagrant files, which are basically recipies for
> configuring the base boxes into an OpenVPN test VMs.
>
> So, when a developer wants to run the integration tests this is what
> happens:
>
> - Vagrant fetches the pre-built VM images from a remote source
> - The image is launched into Virtualbox (or other virtualization system)
> - Vagrant runs the initialization scripts in the Vagrantfile
> - The system is ready to use and stored for future use
So what VM images are available today, especially regarding *BSD, Solaris,
MacOS? Who would be maintaining them, like, adding OS updates, installing
the tools needed to build OpenVPN (on a fresh Solaris system, you can't
build *anything*, for example)...
Fire up a linux VM is totally trivial :-)
[..]
> Summary: very little maintenance is required for Vagrant. It is not like
> buildbot, where we actually have to build the VMs from scratch.
This sounds great but I have a hard time actually believing it...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
