Hi,
https://wiki.linaro.org/Platform/Android/LinaroAndroidBuildService has been updated with these instructions about a new build option:
EXTERNAL_TARBALL
Use to request that the build system fetch an archive from the location that you set EXTERNAL_TARBALL to and unpack it into build/external_tarballs (build is the build root directory. This exact path can be written as $BUILD_SCRIPT_ROOT/../../build/external_tarballs). Multiple archives can be requested, separated by ";", e.g. EXTERNAL_TARBALL="http://foo.com/ball1.tar.gz%3Bhttp://foo.com/ball2.tar.bz2"
There has been some discussion about if the path that is being unpacked to is easy to use. We could modify the build scripts so we either set an environment variable to point to where we unpack to ($EXT_TARBALL_DIR) or have a fixed path in /tmp that we soft link from (/tmp/external_tarballs). If you have a strong opinion, please let me know.
Thanks,
On Tue, Jan 31, 2012 at 03:50:37PM +0000, James Tunnicliffe wrote:
Hi,
https://wiki.linaro.org/Platform/Android/LinaroAndroidBuildService has been updated with these instructions about a new build option:
EXTERNAL_TARBALL
Use to request that the build system fetch an archive from the location that you set EXTERNAL_TARBALL to and unpack it into build/external_tarballs (build is the build root directory. This exact path can be written as $BUILD_SCRIPT_ROOT/../../build/external_tarballs). Multiple archives can be requested, separated by ";", e.g. EXTERNAL_TARBALL="http://foo.com/ball1.tar.gz%3Bhttp://foo.com/ball2.tar.bz2"
Nice work. I just wonder if there is a potential attack vector here -- is the build configuration writeable by any users invoked during the build or setup process?
On 31 January 2012 18:14, Christian Robottom Reis kiko@linaro.org wrote:
On Tue, Jan 31, 2012 at 03:50:37PM +0000, James Tunnicliffe wrote:
Hi,
https://wiki.linaro.org/Platform/Android/LinaroAndroidBuildService has been updated with these instructions about a new build option:
EXTERNAL_TARBALL
Use to request that the build system fetch an archive from the location that you set EXTERNAL_TARBALL to and unpack it into build/external_tarballs (build is the build root directory. This exact path can be written as $BUILD_SCRIPT_ROOT/../../build/external_tarballs). Multiple archives can be requested, separated by ";", e.g. EXTERNAL_TARBALL="http://foo.com/ball1.tar.gz%3Bhttp://foo.com/ball2.tar.bz2"
Nice work. I just wonder if there is a potential attack vector here -- is the build configuration writeable by any users invoked during the build or setup process?
Each build is run on a clean EC2 instance, so shouldn't worry about logins left behind from other activities. This certainly doesn't open us up to any more problems than a user who has write access to the box could cause any other way.
On Tue, Jan 31, 2012 at 06:49:18PM +0000, James Tunnicliffe wrote:
Each build is run on a clean EC2 instance, so shouldn't worry about logins left behind from other activities. This certainly doesn't open us up to any more problems than a user who has write access to the box could cause any other way.
Right, but could some evil code be committed that can modify the configuration to fetch an external exploit and install it into the LEB?
-
Christian Robottom Reis -
James Tunnicliffe