Hi,
On 11/17/2016 06:44 PM, David Fetter wrote:
> On Thu, Nov 17, 2016 at 09:28:39AM +0100, Tomas Vondra wrote:
>> Hi,
>>
>> A rather long time ago I've developed pgxn-tester [1] with the primary goal
>> to provide feedback to developers of extensions, and to some extent also to
>> users. There's a bunch of issues that I think need to be addressed, but I've
>> been unable to do so - both because of lack of time and clear ideas how. I'm
>> considering what to do with the project.
>>
>> I see about three issues with how the testing is done.
>>
>> Firstly there's the security, or lack of it - the extensions
>> compiled and tested without any sandboxing, so it wouldn't be
>> difficult to
compromise the
>> system with a bit of C code. I've neglected the issue so far, but
that's a
>> poor approach. While the system is not particularly valuable, it'd
still be
>> a hassle. I've stopped the testing job until a reasonable
>> sandboxing solution is put into place.
>
> What does CircleCI do? I'm guessing there's something along the
> lines of a container or virtual machine. Could something use
> CircleCI's (or similar) machinery?
>
I have no idea how CircleCI works.
A lot of CI tools were designed for internal development purposes,
assuming only known good code (produced by the team) will be tested. So
while they provide orchestration, there's not much built-in protection.
At least that was the case 2 years ago, I think.
At least that was my experience with tools like Jenkins. But I admit
I've never done any serious research, and perhaps the situation has
changed with improvements in the area of containers (e.g. Docker).
FWIW This is also partially caused by available infrastructure. The
tests are currently running on RH 6.x machine with 2.6.32 kernel, where
the LXC probably lacks the new stuff (namespaces etc.).
That's fairly simple to fix (upgrade to RH 7.3 or whatever is the
current version), I simply never got to do that due to lack of clear
idea of what needs to be done.
>> There are other issues - lack of diversity of the test systems
>> (single Linux system, while it'd be good to also have Windows, etc.)
>> and imperfect automation, but those are secondary issues - people
>> are unlikely deploy the client until addressing the security thing.
>
> People vet software for "security," whatever that means in the
> context they're using, even if it's something along the lines of,
> "this is known to be a popular piece of software, and I haven't heard
> any concerns about it that concern me." Apart from taking steps to
> protect our infrastructure, which a VM-based approach would probably
> cover, we aren't in the business of certifying things.
>
I think there's a major difference when considering a particular popular
software package, and a tool that is intended to download, compile and
execute arbitrary packages from the Internet.
pgbuildfarm does not have this problem, because the code is passing
through a trusted repository, which is something pgxn-tester does not
have (for the tested packages).
While it's probably safe to assume people would deploy pgxn-tester into
a VM isolated from the rest of the system/network (at least that's what
I'd do, no matter if it's using something smart internally), it would be
fairly trivial to use pgxn-tester to establish "proxy" nodes, and route
arbitrary traffic through that. No fun.
>> So if you find pgxn-tester useful, have an idea how to address the
>> issues (particularly the sandboxing one) and want to help with it,
>> let me know.
>
> I don't know how many tuits I'll have on this, but it'd be good to get
> all the source and docs in a place where others can help if they're
> not already there.
>
Well, everything is available on github from the very beginning:
https://github.com/tvondra/pgxn-tester-client
https://github.com/tvondra/pgxn-tester-server
Maybe there were some minor tweaks that I've made directly on the
machine - I'll check.
I'm also fine with granting access to other people, assuming they're not
entirely anonymous and are considering contributing. Being the single
guy managing a repository is not much fun.
regards
Tomas