On Wed, May 10, 2023 at 9:53 AM Neal Gompa <ngompa13@gmail.com> wrote:
Is there a reason we can't use RHEL itself? RHEL for CI seems to be a thing they allow at no cost[1].
Philosophically, we've avoided anything that required a subscription or special access, as the whole idea is to build things that do not rely on any such things. Though practicalities do win out, for example the FIPS work uses a key, and some of our production servers use ESM keys. Practically, we give developers full root access to a complete VM, which precludes anything we use in CI being truly "secret" (note I'm talking about the untrusted check jobs. Post commit jobs are different). So we have to consider that, modulo some level of obfuscation, any subscriptions should be considered public. Also practically, the diskimage-builder path would need quite a bit of work to spit out useful images; I can't currently see that there would be resources to do any of this. -i