(quoting from #fdroid-dev) Perhaps we can actually move an actual buildserver and the website deploy to the new cfarm servers. It seems like it is hardware hosted by a large, respected university, so perhaps it is trustyworthy enough. The hard part there is: who wants to be the sysadmin that takes over from @ciaran in ensuring the release builds are working? @Bubu has said he is willing. There should also be backup admin people.
Looking at the machine list, there are a couple builders there: OpenWRT, Lineage, VLC. I wonder if they are the official builders? The current buildserver setup has the security advantage of no remote access, but serious bus factor issues. If we really have a lot of reproducible builds, then this would be totally fine, especially since the verification server is on totally different infrastructure in a different country, continent even, run by different people.
Some of the official Debian release build machines are also hosted at OSUOSL: https://db.debian.org/machines.cgi, anything marked with buildd. I asked some of the Debian developers about this idea, and they seem to think it is reasonable (_hc is me):
_hc: so for fdroid, we’re considering hosting release builds on hardware at OSUOSL. I’m wondering where/how the Debian release builders are hosted and whether they have remote access, etc.
Mithrandir: we have remote access, yes. They’re hosted in various places.
Mithrandir: https://db.debian.org/machines.cgi has an overview
Mithrandir: buildd = “build daemon”, which is likely what you want to look for on that list.
_hc: thanks. I am familiar with buildd and that list, I just never was sure whether those were the actual release builders. I see some buildd machines at OSUOSL
weasel: osl are good people
Mithrandir: indeed they are.
_hc: so its good to hear we’re not crazy for thinking of putting key build machines there, running Debian, of course
_hc: is there somewhere we can read up more on DSA’s experience regarding things like root access policy and how to handle legal requests? my searches haven’t turned up much
Mithrandir: not really. What are you wondering about?
_hc: for things like govt requests, it would be good to have something outlined in advance, rather than freaking out when we get one. I’ve only handled a couple, and it was mostly just like: forward the email to the EFF lawyer. With a lead sysadmin in Germany, I don’t know that process there, nor Germany lawyers to refer to.
Mithrandir: I don’t think we’ve received any government requests. I could be misremembering, of course.
_hc: that would be ideal
svuorela: will that be before or after the gag order?
_hc: for example, I have little idea of whether there are govt orders with gags in Germany. I know the US law pretty well, and the Austrian law somewhat.
Mithrandir: I don’t know German or Austrian law, as I’m Norwegian.
_hc: can the Norwegian govt give you a secret order?
Mithrandir: not entirely sure, I’d have to check.
_hc: perhaps being friends with Nick Merrill and knowing that whole story has made me more paranoid…
Mithrandir: I think talking about gag orders is a bit pointless, since if somebody were subject to one, they couldn’t tell, and if they weren’t you wouldn’t necessarily believe them. We try to limit the amount of information we keep that’s not public, though, which would make a bunch of requests fairly easy to comply with.
_hc: well, there are warrant canaries and the like
_hc: yeah, the US “NSL” secret order can only request metadata
Mithrandir: but can you trust warrant canaries? Hard to tell
_hc: but the UK “snooper’s charter” seems to allow demands for private keys and things like that, or at least that’s what I’ve heard. and I know in China, the govt orders backdoors in services frequently.