Create qubes.AppendLog service #2023
Labels
C: other
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Comments
rootkovska
added
T: enhancement
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 6, 2016
Require explicit call to scripts/make-with-log. Later will be plugged in build automation. QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 6, 2016
Take a look at COMPONENTS setting. This way single-component build log is not trashed with a status of all the repositories. QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 6, 2016
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 6, 2016
marmarek
added a commit
to marmarek/old-qubes-builder-debian
that referenced
this issue
Dec 17, 2016
This, connected with append-only build log (QubesOS/qubes-issues#2023) will allow for meaningful inspection what really got installed during template build, even if signature verification is buggy, or release signing key is compromised. Adding this for debootstrap - after downloading but before installing packages is somehow complex. Split the operation into two phases - first download all the packages, then install them. Point at local directory for the second run to not download packages (or repository metadata) the second time. That local directory needs to have proper repository metadata.
marmarek
added a commit
to QubesOS/qubes-builder-debian
that referenced
this issue
Dec 17, 2016
This, connected with append-only build log (QubesOS/qubes-issues#2023) will allow for meaningful inspection what really got installed during template build, even if signature verification is buggy, or release signing key is compromised. Adding this for debootstrap - after downloading but before installing packages is somehow complex. Split the operation into two phases - first download all the packages, then install them. Point at local directory for the second run to not download packages (or repository metadata) the second time. That local directory needs to have proper repository metadata. (cherry picked from commit f1e2283)
Closed
|
HW42 has generously submitted a patch for this based on the proposal in the post Security challenges for the Qubes build process. |
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 18, 2016
GIT_REPOS variable may contains qubes-builder itself, as ".". Fixes 43b1221 "Log only status of selected git repositories" QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Dec 19, 2016
Default value for keyword argument is calculate at function definition time, not a call time. So the previous version basically logged script start time. QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder
that referenced
this issue
Jan 24, 2017
Don't replace sys.stdin, use os.path.join, make it clear that file_name is always set to something. QubesOS/qubes-issues#2023
|
@HW42 implementation is already integrated and enabled: #1818 , https://github.com/QubesOS/build-logs |
marmarek
added a commit
to marmarek/qubes-builder-rpm
that referenced
this issue
May 15, 2017
Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder-rpm
that referenced
this issue
May 15, 2017
Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder-rpm
that referenced
this issue
May 15, 2017
Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder-rpm
that referenced
this issue
May 15, 2017
Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
marmarek
added a commit
to marmarek/qubes-builder-rpm
that referenced
this issue
May 15, 2017
Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
andrewdavidwong
added a commit
that referenced
this issue
Oct 19, 2017
andrewdavidwong
removed
the
T: task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Very useful to e.g. gather build logs in a reliable way, i.e. even if the build VM gets compromised during the build process (e.g due to curl|bash in a Makefile), the log can still be meaningful. Also for many other uses. Related to #830.
The text was updated successfully, but these errors were encountered: