You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
redshiftzero edited this page Nov 20, 2019
·
2 revisions
Build Logs
Goals
What is saving build logs protecting against?
The goal with these build logs is to have a clear record of what happened during the build process for the purpose of retrospectives. This can help us determine if mistakes are made during the build (since some of the process is manual) and for incident response.
What is saving build logs not protecting against?
Does not protect against a malicious insider
Does not protect against compromised pip dependencies, that is done via hashes in the requirements file
Does not protect against compromised build machine
What should be saved
Builders should save their terminal output starting with:
Checking out the build tag (and verifying it if it is signed with the airgap key)
make build-debs output
the SHA256 sum of the built debs
for a production build: cat the Release file and Release.gpg
Finally, they should sign the entire document and place into the wiki with a link in the section below.