desktop-build should have a better .hgrc

RESOLVED FIXED

Status

Taskcluster
Docker Images
RESOLVED FIXED
2 years ago
21 days ago

People

(Reporter: dustin, Unassigned, Mentored)

Tracking

(Blocks: 1 bug)

Details

(Whiteboard: [good-first-bug])

(Reporter)

Description

2 years ago
In Buildbot, we include specific fingerprints for servers that hg will talk to:

https://github.com/mozilla/build-puppet/blob/master/modules/mercurial/templates/hgrc.erb#L32hg.mozilla.org = af:27:b9:34:47:4e:e5:98:01:f6:83:2b:51:c9:aa:d8:df:fb:1a:27
s3-external-1.amazonaws.com = 44:ae:c0:4d:9e:8d:50:13:fc:c3:0c:27:8c:06:f0:53:8a:ad:d2:22
s3-us-west-2.amazonaws.com = ad:ab:0d:1e:fe:1c:78:5b:94:f9:76:b2:5a:12:51:9a:12:7b:66:a2
ftp-ssl.mozilla.org = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90

We should do the same in the desktop-build image (even at the expense of failures when one of those fingerprints changes..)
(Reporter)

Comment 1

2 years ago
Note that we can ship an update to this much more quickly (in-tree!) than bug 1259457
(Reporter)

Comment 2

2 years ago
Currently, hgrc is isntalled in the centos6-build image, but it should instead be installed in the desktop-build image.

It should probably have some other things from the hgrc linked in comment 0, too.
Summary: desktop-build should have a secure .hgrc → desktop-build should have a better .hgrc
(Reporter)

Comment 3

a year ago
Greg, have your recent patches fixed this?
Flags: needinfo?(gps)
This is partially addressed in bug 1247168. However, I removed desktop-build from the scope of that bug because it's a bit of work. Let's keep this bug open for now. It will likely get duped to a to-be-filed bug tracking moving desktop-build off tc-vcs.
Blocks: 1286336
Depends on: 1247168
Flags: needinfo?(gps)
(Reporter)

Comment 5

21 days ago
Builds now use the fingerprint from secrets.
Status: NEW → RESOLVED
Last Resolved: 21 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.