-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: move mirrors to their standalone bucket #63485
Conversation
This comment has been minimized.
This comment has been minimized.
Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly backdooring the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket.
fb127a1
to
eb832b2
Compare
@bors: r+ |
📌 Commit eb832b2 has been approved by |
On second thought, let's not backport this to 1.37: promotion is happening really soon, and I don't want anything breaking. Let's get it in in 1.38 though. @bors p=10 |
ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
💔 Test failed - checks-azure |
The job Click to expand the log.
I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
@bors retry Spurious crates.io download failure (expired cert) |
⌛ Testing commit eb832b2 with merge debcee23ac879e9ade0a93dac60f28f641cd2b23... |
@bors retry prioritize stable |
…lexcrichton ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
Rollup of 11 pull requests Successful merges: - #62760 (Deduplicate error messages in `librsctc_mir`) - #62849 (typeck: Prohibit RPIT types that inherit lifetimes) - #63383 (`async fn` lifetime elision tests) - #63421 (Implement Clone, Display for ascii::EscapeDefault) - #63459 (syntax: account for CVarArgs being in the argument list.) - #63475 (Bring back suggestion for splitting `<-` into `< -`) - #63485 (ci: move mirrors to their standalone bucket) - #63486 (Document `From` trait for `BinaryHeap`) - #63488 (improve DiagnosticBuilder docs) - #63493 (Remove unneeded comment in src/libcore/hash/mod.rs) - #63499 (handle elision in async fn correctly) Failed merges: r? @ghost
…lexcrichton ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
1.38 beta is happening right now and this is not going to land before it. Let's backport it instead. |
Rollup of 10 pull requests Successful merges: - #62760 (Deduplicate error messages in `librsctc_mir`) - #62849 (typeck: Prohibit RPIT types that inherit lifetimes) - #63383 (`async fn` lifetime elision tests) - #63421 (Implement Clone, Display for ascii::EscapeDefault) - #63459 (syntax: account for CVarArgs being in the argument list.) - #63475 (Bring back suggestion for splitting `<-` into `< -`) - #63485 (ci: move mirrors to their standalone bucket) - #63486 (Document `From` trait for `BinaryHeap`) - #63488 (improve DiagnosticBuilder docs) - #63493 (Remove unneeded comment in src/libcore/hash/mod.rs) Failed merges: r? @ghost
…lexcrichton ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
…lexcrichton ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
…lexcrichton ci: move mirrors to their standalone bucket Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with CI toolchains. This is problematic for multiple reasons: - CI IAM credentials are allowed to both edit and delete those files. A malicious user gaining access to those credentials would be able to change our mirrored dependencies, possibly compromising the compiler. - Contents of the rust-lang-ci2 bucket are disposable except for the mirrors' content. When we implement backups for S3 buckets we'd have to replicate just that part of the bucket, complicating the backup logic and increasing the chance of mistakes. A standalone bucket will be way easier to backup. This commit switches our CI to use the new rust-lang-ci-mirrors bucket. r? @alexcrichton
Rollup of 17 pull requests Successful merges: - #62760 (Deduplicate error messages in `librsctc_mir`) - #62849 (typeck: Prohibit RPIT types that inherit lifetimes) - #63383 (`async fn` lifetime elision tests) - #63421 (Implement Clone, Display for ascii::EscapeDefault) - #63459 (syntax: account for CVarArgs being in the argument list.) - #63475 (Bring back suggestion for splitting `<-` into `< -`) - #63485 (ci: move mirrors to their standalone bucket) - #63486 (Document `From` trait for `BinaryHeap`) - #63488 (improve DiagnosticBuilder docs) - #63493 (Remove unneeded comment in src/libcore/hash/mod.rs) - #63499 (handle elision in async fn correctly) - #63501 (use `ParamName` to track in-scope lifetimes instead of Ident) - #63508 (Do not ICE when synthesizing spans falling inside unicode chars) - #63511 (ci: add a check for clock drift) - #63512 (Provide map_ok and map_err method for Poll<Option<Result<T, E>>>) - #63529 (RELEASES.md: ? is one of three Kleene operators) - #63530 (Fix typo in error message.) Failed merges: r? @ghost
Rollup of 17 pull requests Successful merges: - #62760 (Deduplicate error messages in `librsctc_mir`) - #62849 (typeck: Prohibit RPIT types that inherit lifetimes) - #63383 (`async fn` lifetime elision tests) - #63421 (Implement Clone, Display for ascii::EscapeDefault) - #63459 (syntax: account for CVarArgs being in the argument list.) - #63475 (Bring back suggestion for splitting `<-` into `< -`) - #63485 (ci: move mirrors to their standalone bucket) - #63486 (Document `From` trait for `BinaryHeap`) - #63488 (improve DiagnosticBuilder docs) - #63493 (Remove unneeded comment in src/libcore/hash/mod.rs) - #63499 (handle elision in async fn correctly) - #63501 (use `ParamName` to track in-scope lifetimes instead of Ident) - #63508 (Do not ICE when synthesizing spans falling inside unicode chars) - #63511 (ci: add a check for clock drift) - #63512 (Provide map_ok and map_err method for Poll<Option<Result<T, E>>>) - #63529 (RELEASES.md: ? is one of three Kleene operators) - #63530 (Fix typo in error message.) Failed merges: r? @ghost
…ichton ci: move libc mirrors to the rust-lang-ci-mirrors bucket Finishing up rust-lang#63485. Already moved the objects. r? @alexcrichton
Currently mirrors are stored in the rust-lang-ci2 S3 bucket along with
CI toolchains. This is problematic for multiple reasons:
CI IAM credentials are allowed to both edit and delete those files.
A malicious user gaining access to those credentials would be able to
change our mirrored dependencies, possibly compromising the compiler.
Contents of the rust-lang-ci2 bucket are disposable except for the
mirrors' content. When we implement backups for S3 buckets we'd have
to replicate just that part of the bucket, complicating the backup
logic and increasing the chance of mistakes. A standalone bucket will
be way easier to backup.
This commit switches our CI to use the new rust-lang-ci-mirrors bucket.
r? @alexcrichton