Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PE Build pipelines are not public & reproducible build status is unknown #11

Open
bastelfreak opened this issue Mar 30, 2024 · 0 comments
Open

PE Build pipelines are not public & reproducible build status is unknown #11

bastelfreak opened this issue Mar 30, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@bastelfreak
Copy link

Use Case

I raised this multiple times on IRC and probably on Jira as well. Similar issues exist for pdk, bolt puppetserver, puppetdb, puppet agent. The pipeline that produces the puppet enterprise deb and rpm packages, and then creates the .tar.gz, is private. This is bad for multiple reasons. This causes a few problems:

Only employees can add support for a new operating system or update vendored components

Example: I patched r10k in the past and the PR couldn't be merged because I was told 'the internal PE build pipeline doesn't succeed anymore'. But I have no option to know this, nor can I investigate. None of the projects indicate that they have an internal pipeline.

CI infra reviews are hard

The XZ CVE has a rating of 10 out of 10. It's serious. Checking if PE vendors it (and is vulnerable) is one thing, ensuring that the CI pipeline didn't run XZ in a vulnerable version is another topic. Partners nor PE users can check this right now because the pipelines are private. We need to rely on a statement from Puppet.

No public reproducible builds

I'm a service delivery partner or solution partner or whatever the current name is. I support large scale PE customers in highly regulated environments. We prefer to use software with public build logs and reproducible builds. In the case of the XZ RCE it's unclear if the CI pipeline was or is effected. Puppet/Perforce Inc could run a rebuild and check if it's still reproducible. Or customers could do it locally. This would be a great security feature but it's currently not possible.

Describe the Solution You Would Like

Make the pipelines public. The artifacts are already public

Describe Alternatives You've Considered

I don't see an alternative.

Additional Context

I would call this a bug, but I assume other people have a different opinion here. Related:
@bastelfreak bastelfreak added the enhancement New feature or request label Mar 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bastelfreak