[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-project] GitLab Runner updates

To: tor-project@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-project] GitLab Runner updates
From: Jim Newsome <jnewsome@xxxxxxxxxxxxxx>
Date: Sat, 18 Jun 2022 17:56:14 -0500
In-reply-to: <877d5g1zmw.fsf@curie.anarc.at>
List-id: "Moderated discussion list for tor contributors." <tor-project.lists.torproject.org>
Organization: The Tor Project, Inc
References: <877d5g1zmw.fsf@curie.anarc.at>
Reply-to: tor-project@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-project" <tor-project-bounces@xxxxxxxxxxxxxxxxxxxx>



On 6/16/22 08:55, Antoine Beaupré wrote:
<snip>

In general, you shouldn't really *trust* GitLab or GitLab CI for
anything else than running tests. Builds should be verified out of band
with reproducible builds. You can reproduce a local GitLab CI
environment by installing gitlab-runner and executing jobs locally,
without having to trust the entire GitLab installation or foreign
runners. As a reminder, it is your responsibility to ensure the
integrity of your code and artifacts, see those links for a further
discussion:

https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-repository-integrity-solutions
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git#security-concerns

<snip>

We also had some discussion about reproducing gitlab-CI builds inhttps://gitlab.torproject.org/tpo/core/tor/-/issues/40615.

While it's fairly straightforward to install a gitlab-runner and executelocally, as far as I can tell a malicious GitLab installation couldstill send a modified "script" (post-processed .gitlab-ci.yml) or repocheckout down to the runner. Maybe there's some way to audit this, but Icouldn't find an obvious one. Maybe configuring the runner to log atdebug level would record enough?https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section

For that issue I ended up hacking together a small python script thatprocesses the .gitlab-ci.yml into something to feed directly throughDocker. It's currently a bit hacky and specialized for the Debian torpackage build. I think it could be generalized further to be reusable ifthat's of interest (maybe using Docker Compose to orchestrate jobswithin a pipeline), but am still thinking about whether there's a betterway...https://gitlab.torproject.org/jnewsome/reproduce-tor-debian-build/-/blob/main/reproduce_pipeline.py

Right now my top candidate we haven't tried yet is to install a fulllocal GitLab in addition to a local gitlab-runner; maybe using theirpublished Docker images https://docs.gitlab.com/ee/install/docker.html.This seems like the least engineering effort (~none) but a bit more workfor every individual wanting to do such a local build.

Keeping as much logic out of the .gitlab-ci.yml as possible so that thegitlab yml is trivial to manually reproduce outside of gitlab (e.g. run`./build.sh`) is probably ideal, though gives up some gitlabfunctionality. IIUC this is the approach we're using for the tortarballs. https://gitlab.torproject.org/tpo/core/tor-ci-reproducible

_______________________________________________
tor-project mailing list
tor-project@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

Follow-Ups:
- Re: [tor-project] GitLab Runner updates
  - From: Antoine Beaupré

References:
- [tor-project] GitLab Runner updates
  - From: Antoine Beaupré

Prev by Author: Re: [tor-project] GitLab Runner updates
Next by Author: [tor-project] What's happening in Shadow 2022-06
Previous by thread: [tor-project] GitLab Runner updates
Next by thread: Re: [tor-project] GitLab Runner updates
Index(es):
- Author
- Thread