chainguard-dev
Immutable write-once location in the builder
As part of https://github.com/chainguard-dev/melange/pull/1737
It would be useful to have write-once locations for the builder. I.e. for melange to write dynamic files that are immutable by the guest. Sort of like the existing melange-cache; but not reusable across multiple builds.
See this comment https://github.com/chainguard-dev/melange/pull/1737#discussion_r1915123469 of writing out individual package specific settings into the apko image used for building a given package.
Currently this is not possible. This is potentially a parallel feature request for apko paths key to support adding arbitrary text files.
so talking to @jonjohnsonjr about this, there is more to this than meets the eye:
- whilst file location of this file is not great, it doesn't matter as much because any other locations will not bring safety / security benefits either
- until we have root owned build image; and non-root (or different user) builder executor where this file is at, doesn't matter as at build time the builder process today can modify all files - inside and outside of their home directory
- doing a read-only bindmount could be better - but care would need to be taken to ensure all runners support that
Until all of the above is done, moving this file out of workspace is low priority; or is pointless as it doesn't achieve anything.