3f01dc11f7
Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56 |
||
|---|---|---|
| doc | ||
| playbooks | ||
| roles | ||
| test-playbooks/registry | ||
| tests | ||
| tools | ||
| .gitignore | ||
| .gitreview | ||
| .stestr.conf | ||
| LICENSE | ||
| README.rst | ||
| bindep.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
| zuul.yaml | ||
README.rst
Zuul Jobs
This repo contains a set of Zuul jobs and Ansible roles suitable for use by any Zuul system.