[users at bb.net] debian packages?
Bill Deegan
bill at baddogconsulting.com
Tue Feb 27 20:03:31 UTC 2018
Dan,
On Tue, Feb 27, 2018 at 12:43 PM, Dan Kegel <dank at kegel.com> wrote:
> On Tue, Feb 27, 2018 at 7:41 AM, Bill Deegan <bill at baddogconsulting.com>
> wrote:
> > Any reason you wouldn't use virtualenv and pip install for your buildbot
> > install needs?
>
> It is inherently dangerous to trust third party package repositories.
> I would like my build machines to be capable of running builds
> without randomly downloading crap from this, that, and the other
> marginally trustable third party collection of packages.
>
> Since I'm running Ubuntu, I already trust that one repository,
> and I'd like to draw the line there.
>
That's a pretty restrictive point of view, but if that suites your security
requirements.
You do realize that the debian packages are built from the same sources the
pypi packages are (minus some minor packaging changes). So in some sense
the debian package is a third party package vs pypi (the primary
distribution point for buildbot packages)
I've been using pip installs of buildbot for probably as long as there have
been such, on publicly facing webservers without any issues to date (knock
on wood).
Pypi does keep track of pgp and md5 checksums on all the packages (well
perhaps not pgp on all).
Buildbot (historically) has pretty good development pace and if you're
stuck with only the debian packages of such you'll be out of date, and
missing some nice improvements (performance, security issues, and feature
wise)
In general I agree that adding debian repo's willy nilly is not a wise
move, installing from pypi using pip (at least for buildbot) is not as much
of a risk.
Any one else have this concern with installing buildbot from pypi?
-Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20180227/664fcc7f/attachment.html>
More information about the users
mailing list