On Tue, Feb 09, 2021 at 06:15:26PM +0100, Philippe Mathieu-Daudé wrote:
> >
> > I've actually done this with some Xen patches I'm working on at the
> > moment. I'll probably decorate the test with:
> >
> > @skipUnless(os.getenv('AVOCADO_ALLOW_UNTRUSTED_CODE'), 'untrusted code')
> >
> > with a comment explaining what's waiting to be upstreamed. Once there
> > are upstream binaries I plan on transitioning the test to those.
>
> Instead of a binary AVOCADO_ALLOW_UNTRUSTED_CODE variable, we could
> have a list allowed domains/namespaces, that can be increased on the
> tester discretion.
>
> For example these are assumed trusted:
>
> . archives.fedoraproject.org
> . archive.debian.org
> . cdn.netbsd.org
> . github.com/torvalds
> . people.debian.org/~aurel32
> . snapshot.debian.org
> . storage.kernelci.org
> . www.qemu-advent-calendar.org
>
> Then personally interested in testing ARM boards I'd amend:
>
> . apt.armbian.com
> . github.com/philmd
> . github.com/groeck
> . github.com/hskinnemoen
> . github.com/pbatard
>
> and Max's repo since I'm interested in testing virtiofs_submounts.
> Hi Phil, I think I follow your idea, but I see two issues here: 1) Functional area (subsystem / architecture / machine type, etc) 2) Trustfulness of the code WRT 1, the domains do not contain meaning onto themselves, so a secondary mapping of subsystem/architecture/machine to the domain would be needed. Also, wouldn't it be common to end up needing a N:N mapping between domains and subsystem/architecture/machine? WRT 2, while limiting download from a number of domains can add some protection, the ultimate trust is achieved by setting a hash to the exact code we will download/run. If those points seem valid, then I believe it's better to continue thinking of subsystem/architecture/machine because of the usability aspects, and possibly improve the perceived level of trust/stability of the assets by adding a "tier" classification. That one, one could pick, say: * board|machine_type == "foo" AND * tier == 1 And exclude what is considered inferior tiers. How does that sound? Regards, - Cleber.
signature.asc
Description: PGP signature
