clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: refuse to bake mother SSH key into release images #113

Merged
clawdie merged 1 commit from build/mother-ssh-key into main 2026-06-22 09:49:18 +02:00
Conversation 0 Commits 1 Files changed 1 +2
clawdie commented 2026-06-22 09:49:03 +02:00
Owner
Copy link

The trigger copies osa-mother-2026 from the build host into any ISO
as long as the key file exists (which it does permanently on OSA).
A BUILD_CHANNEL=release build would embed the private key into a
publicly hosted image = mother compromise.

Add a fail-closed guard: release builds exit with an error before
copying the key. Dev builds (including personalized sticks) are
unaffected.

The trigger copies osa-mother-2026 from the build host into any ISO as long as the key file exists (which it does permanently on OSA). A BUILD_CHANNEL=release build would embed the private key into a publicly hosted image = mother compromise. Add a fail-closed guard: release builds exit with an error before copying the key. Dev builds (including personalized sticks) are unaffected.
clawdie added 1 commit 2026-06-22 09:49:06 +02:00 
The trigger copies osa-mother-2026 from the build host into any ISO
as long as the key file exists (which it does permanently on OSA).
A BUILD_CHANNEL=release build would embed the private key into a
publicly hosted image = mother compromise.

Add a fail-closed guard: release builds exit with an error before
copying the key. Dev builds (including personalized sticks) are
unaffected.
clawdie merged commit 72491ee3b8 into main 2026-06-22 09:49:18 +02:00
clawdie deleted branch build/mother-ssh-key 2026-06-22 09:49:19 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/clawdie-iso#113
No description provided.
Delete branch "build/mother-ssh-key"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?