:: Re: [devuan-dev] scorsh, releasebot…
Top Page
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: devuan-dev
Subject: Re: [devuan-dev] scorsh, releasebot, and jenkins
On Fri, Jul 21, 2017 at 12:15:05AM +1200, Daniel Reurich wrote:

[cut]

>
> Triggering builds using git commits/tags:
>
> The scorch proposal is terrible in that it will leak potentially
> sensitive information and clog up the list of git tags with build
> requests with all manner of detail and information. This is an abuse of
> tags and stupidity and will make developers scream in anguish when the
> have to trawl through the maddening list of pointless git tags looking
> for an actual release version.
>


Hi All,

Scorsh uses gpg-signed git commits to trigger pre-configured commands
on the server. These commands are pre-configured on the server side,
and associated to a whitelist of gpg-keyrings. If the commit in which
the scorsh command is included is signed with one of the authorised
gpg keys *for that command*, then it is executed. Otherwise, nothing
happen.

Then, each "command" can consist of several actions, pre-configured on
the server, which at the moment can be either the execution of a
script or the touch of a URL. If the action is the execution of a
script, the script needs to correspond to the configured hash (sha256
or sha512). I added URLs on purpose, just to trigger jenkins actions
through its REST API, as releasebot is currently doing (without
relying on strong cryptographic authentication, BTW...).

There is *no* git tag involved anywhere. I called "tags" the scorsh
commands, and maybe this was misleading. Sorry for that.

The security of scorsh is based on gpg and sha256/sha512. If you trust
gpg and sha256, then get your conclusions.

The code is available at:

https://github.com/dyne/scorsh/

and comments and reviews are very welcome.

I will read the rest of Dan's email with much interest, since we have
been asking for this information several times, and probably it is
finally coming out, in some form.

Thank you

KatolaZ

P.S.: For the future, and as a general rule, I would probably try to
make myself sure that I have a good understanding of the things I
decide to vomit onto, before vomiting a whole lot of garbage on them
:\

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]