David Edelsohn dje.gcc@gmail.com writes:
Thanks for setting this up. The default accounts have a limited time (90 days?). For long-term CI access, I can help request a long-term account for Nettle.
That would be helpful.
I've had look at the terms and conditions, http://security.marist.edu/LinuxOne/TC.PDF. Most of it looks very reasonable, but there are a few items that I find a bit unclear:
9. [...] You agree to obey all relevant New York State and US laws, including all export controls laws.
My understanding is that US export control laws don't apply to FOSS software (and that's why, e.g., Debian no longer have special non-us mirrors for distributing cryptographic software). But I don't know the details, and if there really isn't a problem, why is it mentioned explicitly in the terms and conditions?
10 [...] d. To protect your LinuxOne Account, keep your Secure Shell (SSH) keys confidential. You are responsible for the activity that happens on or through your LinuxOne Account.
Is it acceptable under these terms if I upload a private key to a CI config that is part of the gnutls project hosted on gitlab.com? Maamoun's suggested method was to add it as a "Variable" in the CI/CD web config, I'm assuming that will not make it publicly visible (but I'd need to double check).
I don't know precisely which individuals will get access to use the key (and hence my account) if I do that, even though I expect it to be small number of good people (admins of the gnutls project, and the key will also be technically accessible by gitlab staff).
[...] Do not reuse your LinuxOne Account keys on third-party applications.
I also don't understand what "third-party applications" means in this context, but I'd guess gitlab could be one?
Regards, /Niels