<samkottler>
dwradcliffe: ah that's related to the new nginx build setup
<dwradcliffe>
build server?
<samkottler>
dwradcliffe: I properly backed all the nginx stuff we need in the regular debian format
<samkottler>
packaged**
<samkottler>
sorry, on ze phone
<samkottler>
dwradcliffe: right now the LB has a custom nginx build in /opt with geoip
<samkottler>
dwradcliffe: you can actually close that I reckon
<dwradcliffe>
right, ok. we'll need to update the LB nginx recipe once the build process is finalized
<dwradcliffe>
but I'll close this for now
<samkottler>
dwradcliffe: I'll rebase the build server changes today and then we'll be closer
<samkottler>
dwradcliffe: the challenging part here is actually how to get signing and upload separated
<samkottler>
because it's a security risk otherwise
<samkottler>
dwradcliffe: I might have to do builds on my laptop or an SG gapped machine
<samkottler>
I don't want to have the repo hosted on the builder because if it gets compromised then we are SOL
<dwradcliffe>
samkottler: hmm. build locally and upload to S3?
<samkottler>
dwradcliffe: we need an intermediate box to create all the repo metadata
<samkottler>
so the process is:
<samkottler>
1. a trusted person (you, evan, me) create a package
<samkottler>
2. sign the binaries locally
<samkottler>
3. push the signed binaries to a box that pulls down all the contents of a s3 bucket
<samkottler>
4. adds the signed package to the repo metadata
<samkottler>
5. pushes the whole thing up to s3
<dwradcliffe>
so the build server does 3,4,5
<samkottler>
exactly
<dwradcliffe>
that sounds like a good process. as long as we have good docs/setup for 1,2
<samkottler>
dwradcliffe: once that first PR gets merged I'm gonna submit another that adds a daemon that listens on a port and accepts valid, signed binaries
<samkottler>
so you do something like dput that pushes the binaries to the box
<samkottler>
yeah I'll write docs
<samkottler>
dwradcliffe: we could also setup a box to do the buiding and then people can grab the binaries to their machine to sign them
<samkottler>
but that feels odd
<samkottler>
since debuild wants to sign as part of the build process
<dwradcliffe>
feels like a waste of a box
<samkottler>
agreed
<dwradcliffe>
I'm not very familiar with the build/sign process but I should probably learn