Automated Build Process
The following graph shows what happens between a PKGBUILD getting changed in git and the built package being available in the pacman repo.
sequenceDiagram participant GIT as MSYS2/<br>MINGW-packages participant API as packages.msys2.org participant GHA as GitHub Actions participant DT as msys2-autobuild participant DEV as Developer participant REPO as Pacman Repo GIT->>GHA: GIT push trigger GHA->>GHA: parse PKGBUILDs GHA-->>GIT: upload parsed PKGBUILDs loop Every 5 minutes API->>GIT: fetch parsed PKGBUILDs GIT-->>API: end loop Every 2 hours DT->>GHA: cron trigger GHA->>API: fetch TODO list API-->>GHA: GHA->>GIT: fetch PKGBUILDs GIT-->>GHA: GHA->>DT: fetch staging DT-->>GHA: GHA->>GHA: build packages GHA-->>DT: upload packages end DEV->>DT: fetch packages DT-->>DEV: DEV->>DEV: sign packages DEV->>REPO: push to repoSecurity Considerations
Assuming changes to PKGBUILDs are properly reviewed, the pacman signature checking works, the upstream source is OK and all MSYS2 organization members are trusted we need to consider a bad actor controlling some part of the building process between the PKGBUILD getting changed and the package ending up signed in the pacman repo.
A bad actor would need to get a package on the machine of the developer signing the package and adding it to the pacman repo. We take the following precautions:
- We only build packages automatically with GitHub Actions without third party actions, excluding the official GitHub ones. We assume the GHA images and official actions are safe.
- The download tool used by the person signing the package checks that the binaries where uploaded by a restricted set of GitHub users or GHA. We assume the bad actor doesn't have git push rights.
- Packages too large for GHA get built/signed by MSYS2 developers on their machines. We assume the developer machines are safe.
- We enforce 2FA for the MSYS2 organization to make account takeovers of existing MSYS2 developers harder.
Feedback and ideas on how to improve this welcome.