You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using Docker is necessary to make our CI fast, and for it to run on both sourcehut and Github Actions
However it's a dependency from a security perspective -- if someone hacks Docker, then they can backdoor BOTH the sourcehut AND the Github Actions tarballs
That's bad
So I would like to get rid of it in the future. Probably won't happen for awhile though
i.e. Docker is a single point of failure. I would like to have 2 completely separate cloud builds, all running from the same git source repos, that produce the same exact release tarball
So that if one provider is hacked, we will know. They would have to hack multiple clouds at the same time to trick us
However it's a dependency from a security perspective -- if someone hacks Docker, then they can backdoor BOTH the sourcehut AND the Github Actions tarballs
That's bad
So I would like to get rid of it in the future. Probably won't happen for awhile though
i.e. Docker is a single point of failure. I would like to have 2 completely separate cloud builds, all running from the same git source repos, that produce the same exact release tarball
So that if one provider is hacked, we will know. They would have to hack multiple clouds at the same time to trick us
Originally posted by @andychu in #1925 (comment)
The text was updated successfully, but these errors were encountered: