Patchwatcher security improvements

Dan Kegel dank at kegel.com
Wed Sep 10 08:46:16 CDT 2008


Ambroz wrote:
> I think I'll try getting a small Gentoo system to run in UML with a
> read-only root fs and make it boot as fast as possible. To try a patch, I
> would give it read access to the master Wine tree on the host, it would
> copy it to a writable temp folder and try it out. After it's finished or
> if the external timeout elapses, the UML process will be terminated and
> all of its writable storage will be reverted.

Right.  That's how the refactored patchwatcher is designed.
There's a shared directory containing one subdirectory
for each build slave.
Each slave is expected to somehow get a read/write mount
to its own subdirectory of the shared directory.
The master watches the mailing list and puts incoming patches
into an inbox directory.  Each patch series is called a job, and
gets its own subdirectory of inbox.  The master dispatches
a job to a build slave by moving the job directory into one
of the build slave's directories.

The build slaves watch for jobs to appear in their directory.
When one appears, then do all the builds it implies, then create
a log file.
The master notices the log file and moves that job out of the
slave's subdirectory.

So the slave can be in another real machine, another virtual machine,
or running as another user; anything as long as it can get read/write
access to its subdirectory of the shared directory.
- Dan



More information about the wine-devel mailing list