[rb-general] Reproducible builds and distributed CI

Bernhard M. Wiedemann bernhardout at lsmod.de
Tue Aug 13 13:53:42 UTC 2019

On 11/08/2019 11.06, Lars Wirzenius wrote:
>         * rejected: a karma or reputation system based on past
>           behaviour: this makes long-lived workers valuable targets,
>           and years of good behaviour won't protect if the worker gets
>           hijacked

Maybe karma could be an additional input in decision making. So that
when you chose N builders, at least M of them have high karma.
This would mitigate attackers that add 10000 nodes to the pool for an
hour (costs roughly $100 in a cloud - if they are even real nodes).
Long lived workers are valuable targets in any case. Just need to make
sure that you do not trust them more than you would without karma.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190813/7ff3719b/attachment.sig>

More information about the rb-general mailing list