/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create qubes.AppendLog service #2023

Closed
rootkovska opened this Issue May 24, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@rootkovska @andrewdavidwong @marmarek
@rootkovska
Member

rootkovska commented May 24, 2016

Very useful to e.g. gather build logs in a reliable way, i.e. even if the build VM gets compromised during the build process (e.g due to curl|bash in a Makefile), the log can still be meaningful. Also for many other uses. Related to #830.

@rootkovska rootkovska added enhancement C: other task labels May 24, 2016

@rootkovska rootkovska added this to the Release 4.0 milestone May 24, 2016

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016

@marmarek
Don't enable external logging by default 
Require explicit call to scripts/make-with-log.
Later will be plugged in build automation.

QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
45b96ec

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016

@marmarek
Log only status of selected git repositories 
Take a look at COMPONENTS setting. This way single-component build log
is not trashed with a status of all the repositories.

QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
43b1221

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016

@marmarek
build-log: call post-log-hook for possible logs uploading 
QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
d7cc141

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 6, 2016

@marmarek
build-log: call post-log-hook for possible logs uploading 
QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
f7fa9db

@marmarek marmarek referenced this issue Dec 6, 2016

Closed

Write a script to build a package when proper signed version tag is pushed #1818

marmarek added a commit to marmarek/qubes-builder-debian that referenced this issue Dec 17, 2016

@marmarek
template: log hashes of all downloaded packages before installation 
This, connected with append-only build log (QubesOS/qubes-issues#2023)
will allow for meaningful inspection what really got installed during
template build, even if signature verification is buggy, or release
signing key is compromised.

Adding this for debootstrap - after downloading but before installing
packages is somehow complex. Split the operation into two phases - first
download all the packages, then install them. Point at local directory
for the second run to not download packages (or repository metadata)
the second time. That local directory needs to have proper repository
metadata.
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
f1e2283

marmarek added a commit to QubesOS/qubes-builder-debian that referenced this issue Dec 17, 2016

@marmarek
template: log hashes of all downloaded packages before installation 
This, connected with append-only build log (QubesOS/qubes-issues#2023)
will allow for meaningful inspection what really got installed during
template build, even if signature verification is buggy, or release
signing key is compromised.

Adding this for debootstrap - after downloading but before installing
packages is somehow complex. Split the operation into two phases - first
download all the packages, then install them. Point at local directory
for the second run to not download packages (or repository metadata)
the second time. That local directory needs to have proper repository
metadata.

(cherry picked from commit f1e2283)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
03a2fac

@marmarek marmarek referenced this issue Dec 17, 2016

Closed

Append-only build log #2251

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Dec 17, 2016

Member

HW42 has generously submitted a patch for this based on the proposal in the post Security challenges for the Qubes build process.
Member

andrewdavidwong commented Dec 17, 2016

HW42 has generously submitted a patch for this based on the proposal in the post Security challenges for the Qubes build process.

andrewdavidwong added a commit that referenced this issue Dec 17, 2016

@andrewdavidwong
Track #2023
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: DB4DD3BC39503030 Learn about signing commits
f0b52fa

@marmarek marmarek referenced this issue Dec 17, 2016

Closed

Log hash of each package going to be installed during template build #2524

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 18, 2016

@marmarek
Do not recurse indefinitely 
GIT_REPOS variable may contains qubes-builder itself, as ".".

Fixes 43b1221 "Log only status of selected git repositories"

QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
910a7db

marmarek added a commit to marmarek/qubes-builder that referenced this issue Dec 19, 2016

@marmarek
build-log: fix timestamp loging 
Default value for keyword argument is calculate at function definition
time, not a call time. So the previous version basically logged script
start time.

QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
03e412e

marmarek added a commit to marmarek/qubes-builder that referenced this issue Jan 24, 2017

@marmarek
build-log: make the code easier to read 
Don't replace sys.stdin, use os.path.join, make it clear that file_name
is always set to something.

QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
bfe8112
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 7, 2017

Member

@HW42 implementation is already integrated and enabled: #1818 , https://github.com/QubesOS/build-logs
Member

marmarek commented Mar 7, 2017

@HW42 implementation is already integrated and enabled: #1818 , https://github.com/QubesOS/build-logs

@marmarek marmarek closed this Mar 7, 2017

marmarek added a commit to marmarek/qubes-builder-rpm that referenced this issue May 15, 2017

@marmarek
Log hashes of download packages before installing them 
Follow the change in builder-debian f1e2283 "template: log hashes of all
downloaded packages before installation". This will allow better
verification of template build process.
Simplify the process by dropping support for templates without yum/dnf
installed. It is always installed by prepare-chroot-base, if not -
that's an error.

Related: QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
4fc7afb

marmarek added a commit to marmarek/qubes-builder-rpm that referenced this issue May 15, 2017

@marmarek
Log hashes of download packages before installing them 
Follow the change in builder-debian f1e2283 "template: log hashes of all
downloaded packages before installation". This will allow better
verification of template build process.
Simplify the process by dropping support for templates without yum/dnf
installed. It is always installed by prepare-chroot-base, if not -
that's an error.

Related: QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
ebbe5f1

marmarek added a commit to marmarek/qubes-builder-rpm that referenced this issue May 15, 2017

@marmarek
Log hashes of download packages before installing them 
Follow the change in builder-debian f1e2283 "template: log hashes of all
downloaded packages before installation". This will allow better
verification of template build process.
Simplify the process by dropping support for templates without yum/dnf
installed. It is always installed by prepare-chroot-base, if not -
that's an error.

Related: QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
3825e63

marmarek added a commit to marmarek/qubes-builder-rpm that referenced this issue May 15, 2017

@marmarek
Log hashes of download packages before installing them 
Follow the change in builder-debian f1e2283 "template: log hashes of all
downloaded packages before installation". This will allow better
verification of template build process.
Simplify the process by dropping support for templates without yum/dnf
installed. It is always installed by prepare-chroot-base, if not -
that's an error.

Related: QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
cde0526

marmarek added a commit to marmarek/qubes-builder-rpm that referenced this issue May 15, 2017

@marmarek
Log hashes of download packages before installing them 
Follow the change in builder-debian f1e2283 "template: log hashes of all
downloaded packages before installation". This will allow better
verification of template build process.
Simplify the process by dropping support for templates without yum/dnf
installed. It is always installed by prepare-chroot-base, if not -
that's an error.

Related: QubesOS/qubes-issues#2023
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
17db253

andrewdavidwong added a commit that referenced this issue Oct 19, 2017

@andrewdavidwong
Untrack #2023 (complete)
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
016037e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment