Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Builder no longer trusted when using --trust-builder with Pack 0.35.0 #2228

Closed
edmorley opened this issue Jul 18, 2024 · 5 comments · Fixed by #2230
Closed

Builder no longer trusted when using --trust-builder with Pack 0.35.0 #2228

edmorley opened this issue Jul 18, 2024 · 5 comments · Fixed by #2230
Labels
good first issue A good first issue to get started with. status/ready Issue ready to be worked on. type/bug Issue that reports an unexpected behaviour.
Milestone
0.36.0

Comments

@edmorley
Copy link
Contributor

edmorley commented Jul 18, 2024
edited
Loading

Summary

In Pack v0.35.0 (which includes 16f4932, the fix for #2221), the untrusted builder workflow is now used even when the user explicitly requests that the builder be treated as trusted using --trust-builder.

This impacts our CNB integration test framework, which runs tests using pack build --builder <...> --buildpack <local_dev_buildpack> --trust-builder, as it:

  1. Causes multi-line build log output string assertions to fail (used for testing rendering of buildpack log output: example), due to the [builder] log line prefixes now added in untrusted mode.
  2. Makes tests slower (eg due to pulling of buildpacksio/lifecycle plus running the build flow in separate containers).

It seems this change may have been unintentional, since the security issue mentioned in #2221 doesn't apply to --trust-builder, where the user has explicitly requested that the builder be trusted.

Reproduction

Steps
  1. pack build --trust-builder --builder heroku/builder:24 --buildpack packaged/aarch64-unknown-linux-musl/debug/heroku_python --path tests/fixtures/python_3.12/ test-app --verbose
    (or any similar command with a local buildpack passed via --buildpack)
Current behavior
$ pack build --trust-builder --builder heroku/builder:24 --buildpack packaged/aarch64-unknown-linux-musl/debug/heroku_python --path tests/fixtures/python_3.12/ test-app --verbose
Builder heroku/builder:24 is trusted
Pulling image index.docker.io/heroku/builder:24
24: Pulling from heroku/builder
Digest: sha256:111d41f1a43ae69e9835c55cf7c185d5f08b010a08bac72529caab983a24e2ac
Status: Image is up to date for heroku/builder:24
CheckReadAccess succeeded for the run image heroku/heroku:24
Selected run image heroku/heroku:24
Pulling image heroku/heroku:24 with platform linux/arm64
24: Pulling from heroku/heroku
Digest: sha256:36e92b6b4e2a980a02363b9f1ddce582c32f38e236b778a6570dedf3d52ab733
Status: Image is up to date for heroku/heroku:24
Downloading buildpack from URI: file:///Users/emorley/src/buildpacks-python/packaged/aarch64-unknown-linux-musl/debug/heroku_python
Warning: Builder is trusted but additional modules were added; using the untrusted (5 phases) build flow
Pulling image buildpacksio/lifecycle:0.20.0 with platform linux/arm64
0.20.0: Pulling from buildpacksio/lifecycle
...
Expected behavior

To not see:

Warning: Builder is trusted but additional modules were added; using the untrusted (5 phases) build flow

...and for the build to proceed in trusted mode.

Environment

pack info
$ pack report
Pack:
  Version:  0.35.0+git-f6b450f.build-6065
  OS/Arch:  darwin/arm64

Default Lifecycle Version:  0.19.6

Supported Platform APIs:  0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12, 0.13

Config:
  default-builder-image = "[REDACTED]"
docker info

N/A
@edmorley edmorley added status/triage Issue or PR that requires contributor attention. type/bug Issue that reports an unexpected behaviour. labels Jul 18, 2024
@edmorley edmorley changed the title Pack 0.35.0 regression: Builder no longer trusted when using --trust-builder Builder no longer trusted when using --trust-builder with Pack 0.35.0 Jul 18, 2024
@natalieparellano
Copy link
Member

@edmorley I think this behavior is expected, as #2221 does apply to trusted builders (pack build <trusted-builder> --buildpack <untrusted-buildpack> though perhaps we should've been explicit and also said pack build <any-builder> --buildpack <untrusted-buildpack> --trust-builder).

I get what you're saying here, it is annoying that there isn't any way to get the old behavior. Perhaps we need something like pack build --trusted-buildpack <foo>? WDYT?

@natalieparellano natalieparellano added status/discussion-needed Issue or PR that requires in-depth discussion. and removed status/triage Issue or PR that requires contributor attention. labels Jul 18, 2024
@natalieparellano natalieparellano added this to the 0.36.0 milestone Jul 18, 2024
@edmorley
Copy link
Contributor Author

edmorley commented Jul 18, 2024
edited
Loading

I guess in my mental model I was thinking:

  1. --builder <trusted> --buildpack <untrusted> = <ephemeral untrusted builder>
  2. And --trusted-builder would then apply to <ephemeral untrusted builder>, making it <trusted ephemeral builder>?

@edmorley
Copy link
Contributor Author

Perhaps we need something like pack build --trusted-buildpack <foo>? WDYT?

Yeah that would work.

It seems like there might be use-cases where someone might want to pass only one of --trust-builder or --trust-buildpack (rather than both of them), and so perhaps having two CLI args here would make sense?

@natalieparellano
Copy link
Member

@edmorley would you want pack build --trusted-buildpack bp1 --trusted-buildpack bp2 or pack build --buildpack bp1 --buildpack bp2 --trust-buildpacks? I guess we could support both? There's no use case for mixing trusted & untrusted buildpacks, so maybe the latter as simpler and easier?

@edmorley
Copy link
Contributor Author

A single --trust-buildpacks sounds good to me.

@natalieparellano natalieparellano added status/ready Issue ready to be worked on. good first issue A good first issue to get started with. and removed status/discussion-needed Issue or PR that requires in-depth discussion. labels Jul 18, 2024
@AidanDelaney AidanDelaney mentioned this issue Jul 19, 2024
Merged
2 tasks
This was referenced Aug 27, 2024
Closed
Closed
Closed
Closed
Merged
edmorley added a commit to heroku/buildpacks-ruby that referenced this issue Aug 27, 2024
@edmorley
Use --trust-additional-buiildpacks with pack build in CI
550aee3 
To work around:
buildpacks/pack#2228
@edmorley edmorley mentioned this issue Aug 27, 2024
Closed
edmorley added a commit to heroku/buildpacks-ruby that referenced this issue Aug 27, 2024
@edmorley
Use --trust-extra-buildpacks with pack build in CI
4969350 
To work around:
buildpacks/pack#2228
edmorley added a commit to heroku/buildpacks-ruby that referenced this issue Aug 27, 2024
@dependabot @edmorley
Bump buildpacks/github-actions from 5.7.1 to 5.7.4 (#313)
47d81dd 
* Bump buildpacks/github-actions from 5.7.1 to 5.7.4

Bumps [buildpacks/github-actions](https://github.com/buildpacks/github-actions) from 5.7.1 to 5.7.4.
- [Release notes](https://github.com/buildpacks/github-actions/releases)
- [Commits](buildpacks/github-actions@v5.7.1...v5.7.4)

---
updated-dependencies:
- dependency-name: buildpacks/github-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Use `--trust-extra-buildpacks` with `pack build` in CI

To work around:
buildpacks/pack#2228

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ed Morley <[email protected]>
This was referenced Aug 27, 2024
Closed
Merged
@edmorley edmorley mentioned this issue Nov 26, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue A good first issue to get started with. status/ready Issue ready to be worked on. type/bug Issue that reports an unexpected behaviour.
Projects
None yet
Milestone
0.36.0
Development

Successfully merging a pull request may close this issue.

Trust buildpacks in addition to those on the builder AidanDelaney/pack
2 participants
@edmorley @natalieparellano