On Wed, 2023-05-10 at 12:10 +0000, Jeremy Stanley wrote:
On 2023-05-10 07:58:59 -0400 (-0400), Neal Gompa wrote: [...]
I don't know if that's the case. Not many open source projects have their own internal infrastructure for all that. It would be worth asking, though.
Well, asking again anyway, since Sean already asked once and they never answered.
But also, the implementation details will matter. If this relies on us having a sensitive registration key which must be present on test nodes so that they can install packages at job run time, we have no effective means of securing that from exposure or exfiltration by users since random members of the public have the ability to run arbitrary code as root on those systems. In the case of the Ubuntu Advantage FIPS support license we're comped, we got a written statement from Canonical staff that said they were okay with the risk of someone extracting the activation key from a test node, and that they would work with us to rotate the key if that ever became a problem for them.
honestly i prefer avoiding all that complexity and useing distos that dont require it too so im just reaching out to that team for complete ness. i still think using CentOS Stream for a RHEL.Next proxy and Rocky for a Rhel current proxy is a simpler approach but that is a vailid point the images that are uploaded to the ci providres are also publicly avaiable its been a while but i ahve actully downloaded them to try and repoduce a issue we only saw in ci in the past. so unless the subsction key was injected in the job from zuul secret it would be in the nodepool image which is publicly hosted.