One of the requirements of #975 is to integrity measure the build environment's disk/filesystem at deployment time.
There has been somediscussion on scope, nuance and different environment types. This issue moves the discussion to a dedicated place.
To begin resolving this, there seems to be an overall desire to 1) to determine the specific storage resources of the build environment that need to be integrity measured, and 2) to support VM and non-VM build environments.
I'd prefer to identify the minimum set of resources to measure, and to find language that will allow us to achieve both without having to dive into implementations or special case each type of build environment (VM vs container vs bare metal vs etc).
What we want is to make sure that the initial state of the build runtime contains at a minimum the expected OS, pre-installed applications and build executor. One suggestion is to use the term "storage volume", since it covers both bootable and non-bootable persistent storage. This term also doesn't immediately exclude build caches, if the build platform wishes to additionally integrity-check cached content.
One of the requirements of #975 is to integrity measure the build environment's disk/filesystem at deployment time.
There has been some discussion on scope, nuance and different environment types. This issue moves the discussion to a dedicated place.
To begin resolving this, there seems to be an overall desire to 1) to determine the specific storage resources of the build environment that need to be integrity measured, and 2) to support VM and non-VM build environments.
I'd prefer to identify the minimum set of resources to measure, and to find language that will allow us to achieve both without having to dive into implementations or special case each type of build environment (VM vs container vs bare metal vs etc).
What we want is to make sure that the initial state of the build runtime contains at a minimum the expected OS, pre-installed applications and build executor. One suggestion is to use the term "storage volume", since it covers both bootable and non-bootable persistent storage. This term also doesn't immediately exclude build caches, if the build platform wishes to additionally integrity-check cached content.