launchpad-buildd

Merge ~cjwatson/launchpad-buildd:doc-malware-scanning into launchpad-buildd:master

  1. Git
  2. lp:~cjwatson/launchpad-buildd
  3. doc-malware-scanning
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: e6e05b6e82bd4f748b42ca709204b478bb556f22
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/launchpad-buildd:doc-malware-scanning
Merge into: launchpad-buildd:master
Diff against target: 60 lines (+38/-0)
3 files modified
debian/changelog (+6/-0)
docs/explanation/malware-scanning.rst (+31/-0)
docs/index.rst (+1/-0)
Reviewer Review Type Date Requested Status
Guruprasad Approve
Review via email: mp+444168@code.launchpad.net

Commit message

Add basic documentation of malware scanning for CI builds

To post a comment you must log in.
Revision history for this message
Guruprasad (lgp171188) wrote :

LGTM 👍

review: Approve
Revision history for this message
Jürgen Gmach (jugmac00) wrote :

Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 547f256..905f523 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+launchpad-buildd (234) UNRELEASED; urgency=medium
7+
8+ * Add basic documentation of malware scanning for CI builds.
9+
10+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 06 Jun 2023 11:42:23 +0100
11+
12 launchpad-buildd (233) focal; urgency=medium
13
14 * Only create /dev/dm-* in LXD containers if they don't already exist
15diff --git a/docs/explanation/malware-scanning.rst b/docs/explanation/malware-scanning.rst
16new file mode 100644
17index 0000000..dfbecdc
18--- /dev/null
19+++ b/docs/explanation/malware-scanning.rst
20@@ -0,0 +1,31 @@
21+Malware scanning
22+****************
23+
24+Certain CI builds can be configured with ClamAV integration, so that builds
25+have a basic malware scan performed on their output files. This is not yet
26+very generalized (it currently only works for builds in the private ``soss``
27+distribution), and should not be expected to be robust.
28+
29+To enable this in a local Launchpad installation, set this in
30+``launchpad-lazr.conf`` (or otherwise arrange for ``"scan_malware": true``
31+to be included in the arguments dispatched to the builder)::
32+
33+ [cibuild.soss]
34+ scan_malware: True
35+
36+``database.clamav.net`` rate-limits clients. To avoid this, and generally
37+to be good citizens, we maintain a `private mirror
38+<https://docs.clamav.net/appendix/CvdPrivateMirror.html>`_ of the ClamAV
39+database. This is organized using the `clamav-database-mirror
40+<https://charmhub.io/clamav-database-mirror>`_ charm, deployed via the
41+`vbuilder
42+<https://git.launchpad.net/~launchpad/launchpad-mojo-specs/+git/private/tree/vbuilder?h=vbuilder>`_
43+Mojo spec (Canonical-internal); on production, this is exposed to builders
44+as ``clamav-database-mirror.lp.internal``. `launchpad-buildd-image-modifier
45+<https://git.launchpad.net/charm-launchpad-buildd-image-modifier>`_ is
46+configured to pass a suitable local URL on to ``launchpad-buildd``, but you
47+can also do this in a local installation by adding something like the
48+following to ``/etc/launchpad-buildd/default``::
49+
50+ [proxy]
51+ clamavdatabase = http://clamav-database-mirror.test/
52diff --git a/docs/index.rst b/docs/index.rst
53index f8ae1de..a80b2b3 100644
54--- a/docs/index.rst
55+++ b/docs/index.rst
56@@ -41,3 +41,4 @@ Explanation
57 :maxdepth: 1
58
59 explanation/deployment
60+ explanation/malware-scanning

Subscribers

People subscribed via source and target branches