On 2023-05-10 07:58:59 -0400 (-0400), Neal Gompa wrote: [...]
I don't know if that's the case. Not many open source projects have their own internal infrastructure for all that. It would be worth asking, though.
Well, asking again anyway, since Sean already asked once and they never answered. But also, the implementation details will matter. If this relies on us having a sensitive registration key which must be present on test nodes so that they can install packages at job run time, we have no effective means of securing that from exposure or exfiltration by users since random members of the public have the ability to run arbitrary code as root on those systems. In the case of the Ubuntu Advantage FIPS support license we're comped, we got a written statement from Canonical staff that said they were okay with the risk of someone extracting the activation key from a test node, and that they would work with us to rotate the key if that ever became a problem for them. -- Jeremy Stanley