Automated Build Process
The following graph shows what happens between a PKGBUILD getting changed in gitand the built package being available in the pacman repo.
sequenceDiagram participant GIT as MSYS2/<br>MINGW-packages participant API as packages.msys2.org participant GHA as GitHub Actions participant DT as msys2-autobuild participant DEV as Developer participant REPO as Pacman Repo GIT->>GHA: GIT push trigger GHA->>GHA: parse PKGBUILDs GHA-->>GIT: upload parsed PKGBUILDsloop Every 5 minutes API->>GIT: fetch parsed PKGBUILDs GIT-->>API: endloop Every 2 hours DT->>GHA: cron trigger GHA->>API: fetch TODO list API-->>GHA: GHA->>GIT: fetch PKGBUILDs GIT-->>GHA: GHA->>DT: fetch staging DT-->>GHA: GHA->>GHA: build packages GHA-->>DT: upload packagesend DEV->>DT: fetch packages DT-->>DEV: DEV->>DEV: sign packages DEV->>REPO: push to repoSecurity Considerations
Assuming changes to PKGBUILDs are properly reviewed, the pacman signaturechecking works, the upstream source is OK and all MSYS2 organization members aretrusted we need to consider a bad actor controlling some part of the buildingprocess between the PKGBUILD getting changed and the package ending up signed inthe pacman repo.
A bad actor would need to get a package on the machine of the developer signingthe package and adding it to the pacman repo. We take the following precautions:
- We only build packages automatically with GitHub Actions without third party actions, excluding the official GitHub ones. We assume the GHA images and official actions are safe.
- The download tool used by the person signing the package checks that the binaries where uploaded by a restricted set of GitHub users or GHA. We assume the bad actor doesn't have git push rights.
- Packages too large for GHA get built/signed by MSYS2 developers on their machines. We assume the developer machines are safe.
- We enforce 2FA for the MSYS2 organization to make account takeovers of existing MSYS2 developers harder.
Feedback and ideas on how to improve this welcome.