undefined | Better HN

0 pointsselfhoster1y ago0 comments

It is and regardless a few other commenters saying or hinting it isn't...it is. An air gapped build machine wouldn't work for most software built today.

0 comments

fc417fc8021y ago

Strange. How do things like Nix work then? The nix builders are network isolated. Most (all?) Gentoo packages can also be built without network access. That seems like it should cover a decent proportion of modern software.

Instances where an air gapped build machine doesn't work are examples of developer laziness, not bothering to properly document dependencies.

ok_dad1y ago

Sounds like a problem with modern software build practices to me.

pixl971y ago

Ya too many people think it's a great idea to raw dog your ci/cd on the net and later get newspaper articles written about the data leak.

The number of packages that is malicious is high enough, then you have typo packages, and packages that get compromised at a later date. Being isolated from the net with proper monitoring gives a huge heads up when your build system suddenly tries to contact some random site/IP.

turtlebits1y ago

People don't think it's a great idea. In general, its just too much additional work/process - for very little benefit.

You're far more likely to encounter a security issue from adding/upgrading a dependency than your build process requiring internet access.

j / k navigate · click thread line to collapse