-
-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Adding secure mode option to build scripting #4076
base: master
Are you sure you want to change the base?
Conversation
This mode will eventually be used to disable a range of build script functionality that raises the potential security risk level during the build process. After this commit is merged, we will need to add the flag to the pipeline job configurations in order to pass it into build jobs. Signed-off-by: Adam Farley <[email protected]>
@@ -558,6 +562,9 @@ function configDefaults() { | |||
|
|||
BUILD_CONFIG[ENABLE_SBOM_STRACE]="false" | |||
|
|||
# Set default value to "false", for maximum user convenience. "false" enables potentially-insecure functionality, like the dynamic download of boot JDKs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The boot jdk is one of few downloads, which you must manually force to happen. Eg. alsa is on contrary download without warning. Free type is downloaded as sources? What else is/can be downloaded? /me just curious. Thanx for the downlaod unification effort. Highly appreciated!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mainly boot JDKs. AIX, Alpine Linux, and Mac download boot JDKs if they can't find one locally.
There are also 22 other uses of wget, and many more that are indirect.
e.g. buildDocker.sh and dockerfile-generator wget many things, like the list of available releases and the mkdocker.sh script from openj9.
This is so that all downloads can take place through a single function, regardless of OS or scenario. Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Just FYI, there is: #3741 It seems that you have initiated the work :) |
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
Signed-off-by: Adam Farley <[email protected]>
This mode will eventually be used to disable a range of build script functionality that raises the potential security risk level during the build process.
This PR is intended to cover the creation of the new mode, the relevant documentation, and the changes to make the mode disable the automatic fetching of boot JDKs.
After this commit is merged, we will need to add the flag to the pipeline job configurations in order to pass it into build jobs.
This PR is connected to #4074 but does not fully resolve it.