Trusting docker inferastructure #1

New Issue

Open

opened 2018-07-09 16:36:41 +00:00 by dan · 0 comments

dan commented 2018-07-09 16:36:41 +00:00

Owner

Copy Link

We've moved the notify-gogs.sh to mindstab/drone-gogs image as a plugin, but it highlighted that we are trusting docker supplied executing code to handle out secrets. Initial thoughts around putting a sha256 hash in our .drone.yml to compare to were pointed out to have the problem of relying on the sha256 in the plugin/image be trust worthy, just pushing the problem a level down.

We could tag the current build to try hardcoding to it but it still relies on docker infrastructure trust worthyness and that isn't a garuntee.

We could also just move back to self hosting the script.

The risk is the secret token to out buildbot gogs account leaks

We've moved the notify-gogs.sh to mindstab/drone-gogs image as a plugin, but it highlighted that we are trusting docker supplied executing code to handle out secrets. Initial thoughts around putting a sha256 hash in our .drone.yml to compare to were pointed out to have the problem of relying on the sha256 in the plugin/image be trust worthy, just pushing the problem a level down. We could tag the current build to try hardcoding to it but it still relies on docker infrastructure trust worthyness and that isn't a garuntee. We could also just move back to self hosting the script. The risk is the secret token to out buildbot gogs account leaks

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: openprivacy/buildfiles#1

No description provided.