Reduce unnecessary package repositories on sensitive slaves

Bug #1254075 reported by Jeremy Stanley on 2013-11-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Core Infrastructure
Opinion
Undecided
Khai Do

Bug Description

Right now we subclass all Jenkins slaves from the jenkins::slave class in Puppet, which includes package repositories for a variety of things we use for testing which are not provided directly by the distributions we use. This is needed for slaves running tests, but generally not for our trusted slaves (those which house credentials for uploading releases, updating translations, proposing changes for code review, and similar sorts of security-sensitive actions).

Instead, these trusted slaves should use a simpler Puppet class which doesn't risk compromise by relying on non-distro package repositories with unknown security policies. The current list of trusted slaves is as follows:

mirror26
mirror27
mirror33
proposal
pypi
salt-trigger

Khai Do (zaro0508) on 2013-11-22
Changed in openstack-ci:
assignee: nobody → Khai Do (zaro0508)
Jeremy Stanley (fungi) wrote :

On second thought, this probably merits further discussion. The only third-party repositories currently being added on Jenkins slaves are backports to 12.04 LTS from later Ubuntu releases (for Py3K and PyPy). As a result, it's unclear whether any security gains resulting from this are worth the added complexity and refactoring effort.

information type: Public Security → Public
Changed in openstack-ci:
status: Confirmed → Opinion
importance: High → Undecided
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers