Page MenuHomePhabricator

Add more preflight checks to makerelease2
Open, Needs TriagePublic

Description

From today's security release:

Event Timeline

Change 650410 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/tools/release@master] make-release: Lint PHP and JSON files as an extra sanity check

https://gerrit.wikimedia.org/r/650410

Change 650410 merged by jenkins-bot:
[mediawiki/tools/release@master] make-release: Lint PHP and JSON files as an extra sanity check

https://gerrit.wikimedia.org/r/650410

Reedy renamed this task from Add more sanity checks to makerelease2 to Add more preflight checks to makerelease2.Apr 8 2021, 7:30 PM

Initially I thought we could just run the CI phan docker image, but we don't actually have the development composer dependencies checked out.

My new idea is we build a docker image for each branch on top of the CI phan image that bundles the dependencies in the image itself (by copying core's composer.json or something). Bumping prod/dev dependencies in release branches is less frequent, and we can make sure it's up to date a few days before the release. Then the image can be run with no extra dependencies besides the docker and image itself.

In theory phan is "untrusted" code since I don't think anyone has done a full audit of it and its dependencies. We could mount the mediawiki directory as read-only in it so a malicious phan can't insert code into the tarball. We can disable networking with --network none (docs, though I've never tried this before) to ensure it can't exfiltrate the patches elsewhere. Assuming no docker sandbox escape, etc.

Thoughts?

I'm minded to trust phan a fair bit. I think the ro and --network none hardening steps sound reasonable.