shuttle
shuttle copied to clipboard
shuttle-hq
docs: communicate the shuttle build process
At the moment there seems to be a lot of magic in the process. Magic is good, but it can be disconcerting for large/serious users. IMO it is important to understand a bit about what shuttle is doing with your code. Of course, this could be found out by digging through the code, but it's probably better to have this available up-front.
I'd like to see answers to questions like:
Is the code being compiled locally and then compiled version copied to the shuttle.rs servers? Or is the code being shipped there and then compiled?
If the latter, what security is in place for ensuring private code is not made publicly available? (Is each compile happening in a chroot jail, as a unique user, or something else?) How do you handle private or local cargo entries?
If the former, how is the compilation happening? For example, I'm on an old mac, which won't cross-compile to Linux without a lot of work (and a lot of extra tools I don't have disk space for...)
Hey @mikeando - these are great questions.
There certainly needs to be higher quality documentation on the operational aspects of shuttle and it's coming soon. There is a point to be made that things are currently changing quite quickly as we are stabilising our core APIs.
I can answer these questions for you and the benefit of others:
Is the code being compiled locally and then compiled version copied to the shuttle.rs servers? Or is the code being shipped there and then compiled?
As of 0.2.5 the code is being packed into a tarball using something like cargo package and it's being shipped to the shuttle build system where it is incrementally compiled.
If the latter, what security is in place for ensuring private code is not made publicly available? (Is each compile happening in a chroot jail, as a unique user, or something else?) How do you handle private or local cargo entries?
shuttle is still in Alpha so there is currently work being done to assess and reduce the security surface and make sure we can provide a truly secure platform. For the avoidance of doubt I would recommend sensitive code and data is not deployed to shuttle before we get to Beta.
How do you handle private or local cargo entries?
Interesting question. Is this blocking you currently? Right now we are using cargo package and so implicitly following it's behaviour. I believe cargo package will throw an error if it needs to package private or local cargo entries.
