-
-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mirror source tarballs for contributing setup - oilshell.org and/or git scalar #1925
Comments
This will reduce any flakiness due to all the hosts we use There are probably 5 different hosts -- it should be one |
This also relates to xz backdoor fallout -- we want to build tarballs on 2 completely separate systems, and then compare them Also do something about the intermediate docker containers ... we don't have a 1 step build -- we have "caching" in Docker, which is not ideal |
I think caching is fine? |
Using Docker is necessary to make our CI fast, and for it to run on both sourcehut and Github Actions However it's a dependency from a security perspective -- if someone hacks Docker, then they can backdoor BOTH the sourcehut AND the Github Actions tarballs That's bad So I would like to get rid of it in the future. Probably won't happen for awhile though i.e. Docker is a single point of failure. I would like to have 2 completely separate cloud builds, all running from the same git source repos, that produce the same exact release tarball So that if one provider is hacked, we will know. They would have to hack multiple clouds at the same time to trick us |
eta 28min, crazy.
Originally posted by @glyh in #1923 (comment)
The text was updated successfully, but these errors were encountered: