Source service mode restrictions
Hello, I recently moved maintenance of one of my packages to a more git-centric workflow. In doing so I changed the source service mode from manual to trylocal (or another mode that allows server-side runs). All was good until I tried to submit the package to Factory https://build.opensuse.org/request/show/1077094 The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request? I suppose there's another reason since the same could happen even with the permitted modes. Thanks! Jim
On Thursday 2023-05-04 23:18, Jim Fehlig via openSUSE Factory wrote:
The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request?
Concern for exploitable bugs in the service code itself. For example, tar_scm calls git-clone, and git itself has some opportunities to run hooks, which, with a suitably crafted repository...
On 5/4/23 15:38, Jan Engelhardt wrote:
On Thursday 2023-05-04 23:18, Jim Fehlig via openSUSE Factory wrote:
The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request?
Concern for exploitable bugs in the service code itself. For example, tar_scm calls git-clone, and git itself has some opportunities to run hooks, which, with a suitably crafted repository...
How is the exposure to such exploits different/worse than devel projects where server-side modes are allowed? Cheers, Jim
On Thu, May 04, 2023 at 03:18:36PM -0600, Jim Fehlig via openSUSE Factory wrote:
Hello,
I recently moved maintenance of one of my packages to a more git-centric workflow. In doing so I changed the source service mode from manual to trylocal (or another mode that allows server-side runs). All was good until I tried to submit the package to Factory
https://build.opensuse.org/request/show/1077094
The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request? I suppose there's another reason since the same could happen even with the permitted modes.
The sources need to stay fixed during review and further processes, so any service modes that could change the sources are forbidden. Ciao, Marcus
On 5/5/23 04:00, Marcus Meissner wrote:
On Thu, May 04, 2023 at 03:18:36PM -0600, Jim Fehlig via openSUSE Factory wrote:
Hello,
I recently moved maintenance of one of my packages to a more git-centric workflow. In doing so I changed the source service mode from manual to trylocal (or another mode that allows server-side runs). All was good until I tried to submit the package to Factory
https://build.opensuse.org/request/show/1077094
The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request? I suppose there's another reason since the same could happen even with the permitted modes.
The sources need to stay fixed during review and further processes, so any service modes that could change the sources are forbidden.
Is it possible to inhibit server-side runs during this time? Cheers, Jim
Hi, On Fri, May 05, 2023 at 03:30:05PM -0600, Jim Fehlig wrote:
On 5/5/23 04:00, Marcus Meissner wrote:
On Thu, May 04, 2023 at 03:18:36PM -0600, Jim Fehlig via openSUSE Factory wrote:
Hello,
I recently moved maintenance of one of my packages to a more git-centric workflow. In doing so I changed the source service mode from manual to trylocal (or another mode that allows server-side runs). All was good until I tried to submit the package to Factory
https://build.opensuse.org/request/show/1077094
The request was declined because "Services are only allowed if their mode is one of localonly, disabled, buildtime, manual". Is it possible to remove this restriction, or include modes that support server-side runs? Are server-side modes not permitted because the sources could change after filing the request? I suppose there's another reason since the same could happen even with the permitted modes.
The sources need to stay fixed during review and further processes, so any service modes that could change the sources are forbidden.
Is it possible to inhibit server-side runs during this time?
I do not know. This is more for the buildservice team. Ciao, marcus
participants (3)
-
Jan Engelhardt -
Jim Fehlig -
Marcus Meissner