LWN: Comments on "Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship"

simple

ballombe — Tue, 23 Sep 2025 21:10:51 +0000

Indeed, I am a big fan of the CI concept, but the way CI is implemented nowadays is totally disgusting.
It seems like developers now have lost all their sysadmin skill.

Mirror security

fraetor — Tue, 23 Sep 2025 21:07:30 +0000

If you know what version you require (and ideally its hash) then you don't need to query the index in the same way.

I'm more talking about when you request the latest version of a well known package, an attacker may want to make the "latest" version appear to be an old one, so they can take advantage of security issues that have since been fixed, and would be able to provide a valid signature because that package _was_ legitimately served by the repository, just before the vulnerability was fixed.

Mirror security

NAR — Tue, 23 Sep 2025 20:02:31 +0000

to avoid being vulnerable to getting served an old version of a package

I think for build reproducibility (and to avoid breaking changes) some environments do prefer to download the same (old) version and not the latest and greatest.

Mirror security

fraetor — Tue, 23 Sep 2025 19:31:46 +0000

How many of these language specific package repositories sign their package metadata? The big risk with not downloading from the original source is that the package could be replaced with a different version by the mirror, but if the packages have signed metadata this risk could be minimised.

I guess you would probably want a signed and timestamped index that contains package hashes that is only valid for a few hours, to avoid being vulnerable to getting served an old version of a package. Or perhaps I'm overcomplicating it, and the metadata should always query the source repository, and only the package data should be mirrored.

If we can trust it to be secure, then perhaps CI systems could inject an environment variable with an alternative repository URL to use, transparent to users of the CI system.

simple

ibukanov — Tue, 23 Sep 2025 19:23:50 +0000

On the other hand caching across builds is non-trivial especially in CI settings. Amount of instructions to give to build kit just to save the cache is insane.

I also wish language runtimes would demand populated local caches instead of automatically downloading things by default so at least not using local cache would take more efforts than not.

simple

yodermk — Tue, 23 Sep 2025 17:07:09 +0000

Yep. I've long thought it is positively insane how many times CI pipelines download the same thing, and no one seems to care.

simple

cen — Tue, 23 Sep 2025 16:05:18 +0000

Add rate limits and see how fast each dev sets up a local cache mirror. Problem solved. Docker hub actually started rate limiting pretty aggressively and we fixed the issues on the first failed pipeline.. unless you force the issue, nobody will care.

Missing a link?

jake — Tue, 23 Sep 2025 15:54:34 +0000

oops ... i meant to put that link in the blurb, of course ... now it's there ...

thanks,

jake

Missing a link?

Kamiccolo — Tue, 23 Sep 2025 15:49:05 +0000

Full statement (open letter?) from the OpenSSF:
https://openssf.org/blog/2025/09/23/open-infrastructure-i...