[arch-devops] secure-runner1.archlinux.org set up

Sven-Hendrik Haase svenstaro at gmail.com
Wed Jun 17 04:27:00 UTC 2020

Hey all,

Just writing real quick to inform you that I just set up
secure-runner1.archlinux.org which is a new hardware box that'll serve as a
GitLab runner that we can trust. The idea is to never allow it to run
unreviewed or untrusted code by limiting it to protected branches of
specific projects (and only those projects, not their forks). Effectively,
that'll be the master branch of selected Arch projects which need to
produce trustable artifacts (like archiso for automatic ISO creation or VM
images, for instance). The current idea is not to use it for any automatic
package building.

This is currently an experiment and will still need to be security audited
(and we're not using it for producing any real artifacts until we feel
comfortable with it). It might turn out we need one such secure runner per
project, who knows.

We'll control this runner rather tightly for obvious reasons and projects
need to be hand-selected one-by-one.

In case anyone's wondering, the box is a Ryzen 5 3600 with 64 GiB ECC DDR4
and 512 GiB BTRFS RAID1.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20200617/f4aa1f66/attachment.htm>

More information about the arch-devops mailing list