[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] deploy docs to qemu-project.org from GitLab CI
From: |
Stefan Hajnoczi |
Subject: |
Re: [PATCH] deploy docs to qemu-project.org from GitLab CI |
Date: |
Tue, 19 Jan 2021 14:56:22 +0000 |
On Tue, Jan 19, 2021 at 02:26:19PM +0100, Paolo Bonzini wrote:
> Currently, the website is rebuilt on qemu-project.org using
> a separate container (https://github.com/stefanha/qemu-docs/)
> cron job hook. We can instead reuse the GitLab's CI artifacts.
>
> To do so, we use the same mechanism that is already in place for
> qemu-web.git.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> .gitlab-ci.yml | 23 ++++++++++++++++++++++
> tests/docker/dockerfiles/ubuntu2004.docker | 2 ++
> 2 files changed, 25 insertions(+)
Hmm...the UNIX account on qemu.org is locked down to some extent but I
don't feel comfortable with a GitLab CI job sshing into qemu.org.
ssh access aside, we are publishing HTML from a shared CI runner to
qemu.org. Effectively we are allowing an untrusted machine to publish
HTML/JS/CSS on qemu.org. It could steal HTTP Cookies or do other
malicious things. That is less of a problem when there is a dedicated
subdomain so that the Same Origin policy can provide isolation. Maybe
there are more recent web security mechanisms that allow us to define a
policy so browsers do not treat qemu.org/docs/* the same as other
qemu.org pages?
(This wasn't a problem before since the container was running on a
dedicated instance under our control.)
Stefan
signature.asc
Description: PGP signature