[mosh-devel] Mosh OS X package build on Travis
Jim Cheetham
jim.cheetham at otago.ac.nz
Mon Oct 31 00:41:39 EDT 2016
Quoting john hood (2016-10-31 17:12:06)
> Alas, we will not get any kind of repeatable builds out of this, Travis
> constantly updates their build images and we update to current Homebrew
> for dependencies on every build.
That's the worst bit. Using external services that are *unlikely* to attack
your process is generally just fine, as long as there is a way to verify their
output.
Perhaps you could use Travis to report in the buildability of a revision,
and the source of a 'nightly build' version, but keep a repeatable
build chain for official releases?
> Currently, I'm using the GitHub deployment
> provider. This requires an authentication token with permissions to
> create and upload onto a GitHub release on the originating GitHub
> project. Do people think this is OK security wise?
Sure, I guess so - because we can trust that GitHub reports changes
adequately. And if an attacker could affect both Travis and GitHub at
the same time, we're not going to be able to prevent that. Detecting it
afterwards is a laudable goal :-)
--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham at otago.ac.nz ☏ +64 3 470 4670 ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: signature
Url : http://mailman.mit.edu/pipermail/mosh-devel/attachments/20161031/7bb83bba/attachment.bin
More information about the mosh-devel
mailing list