Danilo Šegan danilo.segan@linaro.org writes:
Heya Andy,
У уто, 27. 11 2012. у 12:24 -0600, Andy Doan пише:
yes, we have ways of transferring a file from target->host in our dispatcher. We could use that so that our private key only has to live on our actual server(s).
Cool.
Since we'd like to switch to API-based publishing as well, I suppose that means we could also have a key stored in the database for pushing stuff over: does that make sense?
So you are saying we might need a new "publishing key". That seems fine, just a slightly different config option for our setup I'd think.
Yeah, mostly for the sanity (and symmetry) of our existing set up. The way it's currently set up is that our publishing framework accepts SSH connections with very limited permissions:
- upload step which only allows sftp-ing
to /srv/snapshots.linaro.org/uploads which is not publicly accessible
- trigger step which reshuffles the files into appropriate location
(restricted to running publish_to_snapshots.py script)
[..]
I am hoping we can find some time to improve this with an API on https://snapshots.linaro.org that would be authenticated directly, but we can't make promises on when that's going to be around.
Sounds like all the more reason to keep the job file at the fairly abstract "publish" level then.
Cheers, mwh