[rb-general] Reproducible builds and distributed CI

Arnout Engelen arnout at bzzt.net
Wed Jun 19 10:50:55 UTC 2019


On Wed, Jun 19, 2019 at 12:29 PM Lars Wirzenius <liw at liw.fi> wrote:
> On Sun, May 19, 2019 at 01:09:40PM +0300, Lars Wirzenius wrote:
> * One of the things I'm exploring is ways to have a "distributed CI",
>   where CI build workers can be provided by anyone.

https://github.com/bazelbuild/remote-apis#remote-execution-api might
be an interesting building block here.

> * Is the approach of at-least-N bitwise identical builds sensible,
>   assuming sufficient build workers being available? Or are there
>   security aspects and risks there that I am missing?

This is indeed an aspect that needs thought here. In its simplest
implementation, where anyone can freely join the builder pool,
this will obviously not work: an attacker could start a ton of build
nodes (buying them, using a botnet, ...), and inject its malware
when it controls at-least-N of the build nodes.

A "trust but verify" approach where you put your reputation on the
line when providing build nodes (or get penalized in some other way
when foul play is detected) could perhaps work.

Perhaps there are other creative mitigations?

Another attack vector you should think about is how to isolate the
build itself: it'd be bad if someone could hack the build nodes by
submitting a malicious build. I bet there's prior art on this though,
as this is something basically all PAAS providers have to deal with
somehow.

Cool idea, looking forward to seeing how it turns out!


Kind regards,

Arnout


More information about the rb-general mailing list