Trusting docker inferastructure #1

Open
opened 3 years ago by dan · 0 comments
dan commented 3 years ago
Owner

We've moved the notify-gogs.sh to mindstab/drone-gogs image as a plugin, but it highlighted that we are trusting docker supplied executing code to handle out secrets. Initial thoughts around putting a sha256 hash in our .drone.yml to compare to were pointed out to have the problem of relying on the sha256 in the plugin/image be trust worthy, just pushing the problem a level down.

We could tag the current build to try hardcoding to it but it still relies on docker infrastructure trust worthyness and that isn't a garuntee.

We could also just move back to self hosting the script.

The risk is the secret token to out buildbot gogs account leaks

We've moved the notify-gogs.sh to mindstab/drone-gogs image as a plugin, but it highlighted that we are trusting docker supplied executing code to handle out secrets. Initial thoughts around putting a sha256 hash in our .drone.yml to compare to were pointed out to have the problem of relying on the sha256 in the plugin/image be trust worthy, just pushing the problem a level down. We could tag the current build to try hardcoding to it but it still relies on docker infrastructure trust worthyness and that isn't a garuntee. We could also just move back to self hosting the script. The risk is the secret token to out buildbot gogs account leaks
Sign in to join this conversation.
No Label
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.