[tahoe-lafs-trac-stream] [Tahoe-LAFS] #3759: The CircleCI Dockerhub authorization context prevents contributions from GitHub.com forked repositories from running

Tahoe-LAFS trac at tahoe-lafs.org
Tue Aug 10 18:20:56 UTC 2021 

#3759: The CircleCI Dockerhub authorization context prevents contributions from
GitHub.com forked repositories from running
---------------------+---------------------------
 Reporter:  exarkun  |          Owner:
     Type:  defect   |         Status:  new
 Priority:  normal   |      Milestone:  undecided
Component:  unknown  |        Version:  n/a
 Keywords:           |  Launchpad Bug:
---------------------+---------------------------
 Our CircleCI jobs use custom Docker images with our dependencies pre-
 installed in order to speed up the jobs.

 Pulling these Docker images from Dockerhub is subject to rate limiting
 unless supplying credentials to CircleCI so it can authenticate to
 Dockerhub.

 These credentials are stored in a CircleCI project "context" which is only
 available to "Tahoe committers".  Anyone who can read these credentials
 can push images to our Dockerhub repository.

 Because of this "context" PRs from outsider contributors don't have any
 CircleCI jobs run.

 Except maybe we don't actually need to do this authentication anymore.
 Quoting https://support.circleci.com/hc/en-us/articles/360050623311
 -Docker-Hub-rate-limiting-FAQ:

 > Beginning November 1, 2020, Docker Hub will enable rate limits based on
 the originating IP address. However, CircleCI has partnered with Docker to
 ensure that our users can continue to access Docker Hub without rate
 limits. On November 1st, with few exceptions* (listed below), you should
 not be impacted by any rate limits when pulling images from Docker Hub
 through CircleCI.
 > *Exceptions: Remote Docker and Machine Executors will be impacted by the
 rate limiting unless pulling CircleCI-published images.

 Our CircleCI configuration uses the "Docker" executor but not the "Remote
 Docker" executor.  This seems to suggest we should not be subject to the
 rate limits even if we do not supply Dockerhub credentials.

 If this is the case, we can remove our Dockerhub credentials "context" and
 remove this barrier for external contributors.

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/3759>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list