Launchpad itself

Merge lp:~jtv/launchpad/bug-544237 into lp:launchpad

bug-544237
Merge into devel

Proposed by Jeroen T. Vermeulen on 2010-04-12

Status:

Merged

Approved by:

Jeroen T. Vermeulen on 2010-04-12

Approved revision:

no longer in the source branch.

Merged at revision:

not available

Proposed branch:

lp:~jtv/launchpad/bug-544237

Merge into:

lp:launchpad

Diff against target:

888 lines (+177/-326)

19 files modified

lib/lp/buildmaster/doc/builder.txt (+6/-6)
lib/lp/buildmaster/doc/buildfarmjobbehavior.txt (+2/-2)
lib/lp/buildmaster/interfaces/builder.py (+4/-4)
lib/lp/buildmaster/interfaces/buildfarmjob.py (+10/-0)
lib/lp/buildmaster/interfaces/buildfarmjobbehavior.py (+6/-5)
lib/lp/buildmaster/model/builder.py (+6/-5)
lib/lp/buildmaster/model/buildfarmjob.py (+24/-0)
lib/lp/buildmaster/model/buildfarmjobbehavior.py (+8/-105)
lib/lp/buildmaster/tests/test_buildfarmjobbehavior.py (+76/-39)
lib/lp/buildmaster/tests/test_manager.py (+1/-1)
lib/lp/code/model/recipebuilder.py (+2/-10)
lib/lp/code/model/sourcepackagerecipebuild.py (+3/-0)
lib/lp/code/tests/test_recipebuilder.py (+10/-25)
lib/lp/soyuz/doc/buildd-slavescanner.txt (+7/-1)
lib/lp/soyuz/model/binarypackagebuildbehavior.py (+5/-3)
lib/lp/soyuz/tests/soyuzbuilddhelpers.py (+3/-2)
lib/lp/soyuz/tests/test_binarypackagebuildbehavior.py (+0/-66)
lib/lp/translations/model/translationtemplatesbuildbehavior.py (+4/-19)
lib/lp/translations/tests/test_translationtemplatesbuildbehavior.py (+0/-33)

To merge this branch:

bzr merge lp:~jtv/launchpad/bug-544237

Low

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Eleanor Berger (community)	code	2010-04-12	Approve on 2010-04-12
Review via email: mp+23214@code.launchpad.net

Commit message

Slave build cookies.

Description of the change

= Bug 544237 =

This is an oversized branch. I'm sorry for that; I really am. A lot of the diff is caused by the renaming of an exception class.

The build farm dispatches build jobs to slave machines. To avoid confusing one job running on a slave with another, the slave receives a "build id" that proves to the master that it's been working on that particular job. It's not technically an id; it's not even necessarily associated with a build. It's just there for verification. There's also a security aspect: slaves can be compromised, and in that state, probably should not be able to substitute their own output for that of a legitimate job running on another slave.

A method in IBuildFarmJobBehavior, which was to be overridden in each implementation, tried to verify a slave's build id against expectations. This was fairly complex without offering much security.

In this branch I replace the build id with something that's simpler and more secure at the same time: a build cookie. It hashes a bunch of values that are associated with a job running on a slave, and which don't change as a job progresses. Put together and hashed, these values are not very easily predictable. (The hashing helps by obscuring from the slave various values that it could otherwise use as starting points for its guesses). I removed all attempts to parse and analyze the cookie. All that's really needed for verification is to re-generate the cookie and compare the outcome to the version that the slave provided. The two should be equal. This does away with the multiple implementations of the verification logic.

We've discussed these changes on the mailing list and on IRC, in particular with bigjools, jml, and wgrant. A few design considerations:

* We haven't actually identified any real risks even if a compromised slave does forge another slave's build cookie. But the purpose of this check has always been a bit obscure so we're just not taking any chances—especially with future code changes that might otherwise rely on false security. If there is a security risk, this branch can be shown to reduce it. If there is none, this branch merely simplifies the code.

* For now I included the original slave build id, as generated by getName, in the hashed cookie. This means that the cookie will be at least as hard to guess as what we had before.

* William and I analyzed failures that might conceivably occur while verifying a cookie, and considered re-raising them as verification failures. But all failures we could imagine would be bugs. So the appropriate response was always to let the exception propagate as-is.

* There are probably "safer" hash algorithms out there than SHA1. But the code never hashes output from the slave, so there is no question of a compromised slave appending arbitrary data to its output in order to get a desired hash value.

* It's probably still not that hard for a compromised slave, with knowledge of ballpark figures for some of the inputs, to guess the values that went into its own cookie, which it could then use as a starting point for guessing other cookies. We considered including values like the job's start date or builder id. But that may make it easier for future code changes to break the algorithm. For properly secure cookies, we'd need some salt.

There's a bunch of lint output, mostly the usual "unable to import." Also some lint in places I didn't touch; this branch being the size it is I'd rather not mess with that (and risk causing more conflicts for others).

For testing, I ran all Soyuz tests and all tests with "build" in them. But be aware that includes windmill tests, and that when using lucid, you may get "unknown error code" errors from pygpgme. Jelmer has a pygpgme patch underway that fixes those.

To Q/A, verify that Soyuz builds still succeed on dogfood.

Jeroen

Revision history for this message

Eleanor Berger (intellectronica) on 2010-04-12:

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

Jeroen T. Vermeulen

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'lib/lp/buildmaster/doc/builder.txt'
 --- lib/lp/buildmaster/doc/builder.txt	2010-04-06 22:33:44 +0000
 +++ lib/lp/buildmaster/doc/builder.txt	2010-04-12 06:43:20 +0000
@@ -266,18 +266,18 @@
  against the database. If it isn't building what we think it should be,
  the current build will be aborted and the slave cleaned in preparation
  for a new task. The decision about the slave's correctness is left up
--to IBuildFarmJobBehavior.verifySlaveBuildID -- for these examples we
--will use a special behavior that just checks if the slave ID is 'good'.
++to IBuildFarmJobBehavior.verifySlaveBuildCookie -- for these examples we
++will use a special behavior that just checks if the cookie reads 'good'.
      >>> import logging
--    >>> from lp.buildmaster.interfaces.builder import CorruptBuildID
++    >>> from lp.buildmaster.interfaces.builder import CorruptBuildCookie
      >>> from lp.soyuz.tests.soyuzbuilddhelpers import (
      ...    BuildingSlave, MockBuilder, OkSlave, WaitingSlave)
      >>> class TestBuildBehavior:
--    ...     def verifySlaveBuildID(self, build_id):
--    ...         if build_id != 'good':
--    ...             raise CorruptBuildID('Bad value')
++    ...     def verifySlaveBuildCookie(self, cookie):
++    ...         if cookie != 'good':
++    ...             raise CorruptBuildCookie('Bad value')
      >>> def rescue_slave_if_lost(slave):
      ...     builder = MockBuilder('mock', slave, TestBuildBehavior())
 === modified file 'lib/lp/buildmaster/doc/buildfarmjobbehavior.txt'
 --- lib/lp/buildmaster/doc/buildfarmjobbehavior.txt	2010-03-25 04:31:10 +0000
 +++ lib/lp/buildmaster/doc/buildfarmjobbehavior.txt	2010-04-12 06:43:20 +0000
@@ -115,7 +115,7 @@
  If a slave is working on a job while we think it is idle, it will always be
  aborted.
--    >>> bob.current_build_behavior.verifySlaveBuildID('foo')
++    >>> bob.current_build_behavior.verifySlaveBuildCookie('foo')
      Traceback (most recent call last):
      ...
--    CorruptBuildID: No job assigned to builder
++    CorruptBuildCookie: No job assigned to builder
 === modified file 'lib/lp/buildmaster/interfaces/builder.py'
 --- lib/lp/buildmaster/interfaces/builder.py	2010-03-24 04:58:35 +0000
 +++ lib/lp/buildmaster/interfaces/builder.py	2010-04-12 06:43:20 +0000
@@ -9,7 +9,7 @@
  __all__ = [
      'BuildDaemonError',
--    'CorruptBuildID',
++    'CorruptBuildCookie',
      'BuildSlaveFailure',
      'CannotBuild',
      'CannotFetchFile',
@@ -46,7 +46,7 @@
      """The build slave had a protocol version. This is a serious error."""
--class CorruptBuildID(BuildDaemonError):
++class CorruptBuildCookie(BuildDaemonError):
      """The build slave is working with mismatched information.
      It needs to be rescued.
@@ -229,8 +229,8 @@
              the status.
          """
--    def verifySlaveBuildID(slave_build_id):
--        """Verify that a slave's build ID is consistent.
++    def verifySlaveBuildCookie(slave_build_id):
++        """Verify that a slave's build cookie is consistent.
          This should delegate to the current `IBuildFarmJobBehavior`.
          """
 === modified file 'lib/lp/buildmaster/interfaces/buildfarmjob.py'
 --- lib/lp/buildmaster/interfaces/buildfarmjob.py	2010-03-16 05:08:47 +0000
 +++ lib/lp/buildmaster/interfaces/buildfarmjob.py	2010-04-12 06:43:20 +0000
@@ -57,6 +57,16 @@
  class IBuildFarmJob(Interface):
      """Operations that jobs for the build farm must implement."""
++    def generateSlaveBuildCookie():
++        """Produce a cookie for the slave as a token of the job it's doing.
++
++        The cookie need not be unique, but should be hard for a
++        compromised slave to guess.
++
++        :return: a hard-to-guess ASCII string that can be reproduced
++            accurately based on this job's properties.
++        """
++
      def score():
          """Calculate a job score appropriate for the job type in question."""
 === modified file 'lib/lp/buildmaster/interfaces/buildfarmjobbehavior.py'
 --- lib/lp/buildmaster/interfaces/buildfarmjobbehavior.py	2010-03-31 02:15:04 +0000
 +++ lib/lp/buildmaster/interfaces/buildfarmjobbehavior.py	2010-04-12 06:43:20 +0000
@@ -59,12 +59,13 @@
             added to it.
          """
--    def verifySlaveBuildID(slave_build_id):
--        """Verify that a slave's build ID shows no signs of corruption.
++    def verifySlaveBuildCookie(slave_build_cookie):
++        """Verify that a slave's build cookie shows no signs of corruption.
--        :param slave_build_id: The slave's build ID, as specified in
--           dispatchBuildToSlave.
--        :raises CorruptBuildID: if the build ID is determined to be corrupt.
++        :param slave_build_cookie: The slave's build cookie, as specified in
++           `dispatchBuildToSlave`.
++        :raises CorruptBuildCookie: if the build cookie isn't what it's
++            supposed to be.
          """
      def updateBuild(queueItem):
 === modified file 'lib/lp/buildmaster/model/builder.py'
 --- lib/lp/buildmaster/model/builder.py	2010-04-08 15:29:39 +0000
 +++ lib/lp/buildmaster/model/builder.py	2010-04-12 06:43:20 +0000
@@ -42,7 +42,7 @@
  from lp.buildmaster.interfaces.buildbase import BuildStatus
  from lp.buildmaster.interfaces.builder import (
      BuildDaemonError, BuildSlaveFailure, CannotBuild, CannotFetchFile,
--    CannotResumeHost, CorruptBuildID, IBuilder, IBuilderSet,
++    CannotResumeHost, CorruptBuildCookie, IBuilder, IBuilderSet,
      ProtocolVersionMismatch)
  from lp.buildmaster.interfaces.buildfarmjobbehavior import (
      BuildBehaviorMismatch)
@@ -182,8 +182,8 @@
      slave_build_id = status_sentence[ident_position[status]]
      try:
--        builder.verifySlaveBuildID(slave_build_id)
--    except CorruptBuildID, reason:
++        builder.verifySlaveBuildCookie(slave_build_id)
++    except CorruptBuildCookie, reason:
          if status == 'BuilderStatus.WAITING':
              builder.cleanSlave()
          else:
@@ -454,9 +454,10 @@
          """See IBuilder."""
          return self.slave.status()
--    def verifySlaveBuildID(self, slave_build_id):
++    def verifySlaveBuildCookie(self, slave_build_id):
          """See `IBuilder`."""
--        return self.current_build_behavior.verifySlaveBuildID(slave_build_id)
++        return self.current_build_behavior.verifySlaveBuildCookie(
++            slave_build_id)
      def updateBuild(self, queueItem):
          """See `IBuilder`."""
 === modified file 'lib/lp/buildmaster/model/buildfarmjob.py'
 --- lib/lp/buildmaster/model/buildfarmjob.py	2010-03-16 05:08:47 +0000
 +++ lib/lp/buildmaster/model/buildfarmjob.py	2010-04-12 06:43:20 +0000
@@ -5,14 +5,18 @@
  __all__ = ['BuildFarmJob']
++import hashlib
++
  from zope.component import getUtility
  from zope.interface import classProvides, implements
++from zope.security.proxy import removeSecurityProxy
  from canonical.launchpad.webapp.interfaces import (
      DEFAULT_FLAVOR, IStoreSelector, MAIN_STORE)
  from lp.buildmaster.interfaces.buildfarmjob import (
      IBuildFarmJob, IBuildFarmCandidateJobSelection,
      ISpecificBuildFarmJobClass)
++from lp.buildmaster.interfaces.buildqueue import IBuildQueueSet
  class BuildFarmJob:
@@ -21,6 +25,26 @@
      classProvides(
          IBuildFarmCandidateJobSelection, ISpecificBuildFarmJobClass)
++    def generateSlaveBuildCookie(self):
++        """See `IBuildFarmJob`."""
++        buildqueue = getUtility(IBuildQueueSet).getByJob(self.job)
++
++        if buildqueue.processor is None:
++            processor = '*'
++        else:
++            processor = repr(buildqueue.processor.id)
++
++        contents = ';'.join([
++            repr(removeSecurityProxy(self.job).id),
++            self.job.date_created.isoformat(),
++            repr(buildqueue.id),
++            buildqueue.job_type.name,
++            processor,
++            self.getName(),
++            ])
++
++        return hashlib.sha1(contents).hexdigest()
++
      def score(self):
          """See `IBuildFarmJob`."""
          raise NotImplementedError
 === modified file 'lib/lp/buildmaster/model/buildfarmjobbehavior.py'
 --- lib/lp/buildmaster/model/buildfarmjobbehavior.py	2010-03-31 04:08:34 +0000
 +++ lib/lp/buildmaster/model/buildfarmjobbehavior.py	2010-04-12 06:43:20 +0000
@@ -16,23 +16,17 @@
  import socket
  import xmlrpclib
--from sqlobject import SQLObjectNotFound
--
  from zope.component import getUtility
  from zope.interface import implements
--from zope.security.proxy import removeSecurityProxy, isinstance as zisinstance
++from zope.security.proxy import removeSecurityProxy
  from canonical import encoding
  from canonical.librarian.interfaces import ILibrarianClient
--from canonical.launchpad.webapp.interfaces import NotFoundError
--from lp.buildmaster.interfaces.builder import CorruptBuildID
++from lp.buildmaster.interfaces.builder import CorruptBuildCookie
  from lp.buildmaster.interfaces.buildfarmjobbehavior import (
      BuildBehaviorMismatch, IBuildFarmJobBehavior)
--from lp.buildmaster.interfaces.buildqueue import IBuildQueueSet
--from lp.buildmaster.model.buildqueue import BuildQueue
  from lp.services.job.interfaces.job import JobStatus
--from lp.soyuz.interfaces.build import IBuildSet
  class BuildFarmJobBehaviorBase:
@@ -64,102 +58,11 @@
          The default behavior is that we don't add any extra values."""
          pass
--    def _helpVerifyBuildIDComponent(self, raw_id, item_type, finder):
--        """Helper for verifying parts of a `BuildFarmJob` name.
--
--        Different `IBuildFarmJob` implementations can have different
--        ways of constructing their identifying names.  The names are
--        produced by `IBuildFarmJob.getName` and verified by
--        `IBuildFarmJobBehavior.verifySlaveBuildID`.
--
--        This little helper makes it easier to verify an object id
--        embedded in that name, check that it's a valid number, and
--        retrieve the associated database object.
--
--        :param raw_id: An unverified id string as extracted from the
--            build name.  The method will verify that it is a number, and
--            try to retrieve the associated object.
--        :param item_type: The type of object this id represents.  Should
--            be a class.
--        :param finder: A function that, given an integral id, finds the
--            associated object of type `item_type`.
--        :raise CorruptBuildID: If `raw_id` is malformed in some way or
--            the associated `item_type` object is not found.
--        :return: An object that is an instance of `item_type`.
--        """
--        type_name = item_type.__name__
--        try:
--            numeric_id = int(raw_id)
--        except ValueError:
--            raise CorruptBuildID(
--                "%s ID is not a number: '%s'" % (type_name, raw_id))
--
--        try:
--            item = finder(numeric_id)
--        except (NotFoundError, SQLObjectNotFound), reason:
--            raise CorruptBuildID(
--                "%s %d is not available: %s" % (
--                    type_name, numeric_id, reason))
--        except Exception, reason:
--            raise CorruptBuildID(
--                "Error while looking up %s %d: %s" % (
--                    type_name, numeric_id, reason))
--
--        if item is None:
--            raise CorruptBuildID("There is no %s with id %d." % (
--                type_name, numeric_id))
--
--        assert zisinstance(item, item_type), (
--            "Looked for %s, but found %s." % (type_name, repr(item)))
--
--        return item
--
--    def getVerifiedBuild(self, raw_id):
--        """Verify and retrieve the `Build` component of a slave build id.
--
--        This does part of the verification for `verifySlaveBuildID`.
--
--        By default, a `BuildFarmJob` has an identifying name of the form
--        "b-q", where b is the id of its `Build` and q is the id of its
--        `BuildQueue` record.
--
--        Use `getVerifiedBuild` to verify the "b" part, and retrieve the
--        associated `Build`.
--        """
--        # Avoid circular import.
--        from lp.soyuz.model.build import Build
--
--        return self._helpVerifyBuildIDComponent(
--            raw_id, Build, getUtility(IBuildSet).getByBuildID)
--
--    def getVerifiedBuildQueue(self, raw_id):
--        """Verify and retrieve the `BuildQueue` component of a slave build id.
--
--        This does part of the verification for `verifySlaveBuildID`.
--
--        By default, a `BuildFarmJob` has an identifying name of the form
--        "b-q", where b is the id of its `Build` and q is the id of its
--        `BuildQueue` record.
--
--        Use `getVerifiedBuildQueue` to verify the "q" part, and retrieve
--        the associated `BuildQueue` object.
--        """
--        return self._helpVerifyBuildIDComponent(
--            raw_id, BuildQueue, getUtility(IBuildQueueSet).get)
--
--    def verifySlaveBuildID(self, slave_build_id):
++    def verifySlaveBuildCookie(self, slave_build_cookie):
          """See `IBuildFarmJobBehavior`."""
--        # Extract information from the identifier.
--        try:
--            build_id, queue_item_id = slave_build_id.split('-')
--        except ValueError:
--            raise CorruptBuildID('Malformed build ID')
--
--        build = self.getVerifiedBuild(build_id)
--        queue_item = self.getVerifiedBuildQueue(queue_item_id)
--
--        if build != queue_item.specific_job.build:
--            raise CorruptBuildID('Job build entry mismatch')
++        expected_cookie = self.buildfarmjob.generateSlaveBuildCookie()
++        if slave_build_cookie != expected_cookie:
++            raise CorruptBuildCookie("Invalid slave build cookie.")
      def updateBuild(self, queueItem):
          """See `IBuildFarmJobBehavior`."""
@@ -310,6 +213,6 @@
          """See `IBuildFarmJobBehavior`."""
          return "Idle"
--    def verifySlaveBuildID(self, slave_build_id):
++    def verifySlaveBuildCookie(self, slave_build_id):
          """See `IBuildFarmJobBehavior`."""
--        raise CorruptBuildID('No job assigned to builder')
++        raise CorruptBuildCookie('No job assigned to builder')
 === modified file 'lib/lp/buildmaster/tests/test_buildfarmjobbehavior.py'
 --- lib/lp/buildmaster/tests/test_buildfarmjobbehavior.py	2010-03-12 20:24:53 +0000
 +++ lib/lp/buildmaster/tests/test_buildfarmjobbehavior.py	2010-04-12 06:43:20 +0000
@@ -6,12 +6,14 @@
  from unittest import TestLoader
  from zope.component import getUtility
++from zope.security.proxy import removeSecurityProxy
  from canonical.testing.layers import ZopelessDatabaseLayer
  from lp.testing import TestCaseWithFactory
++from lp.testing.fakemethod import FakeMethod
  from lp.buildmaster.interfaces.buildbase import BuildStatus
--from lp.buildmaster.interfaces.builder import CorruptBuildID
++from lp.buildmaster.interfaces.builder import CorruptBuildCookie
  from lp.buildmaster.model.buildfarmjobbehavior import BuildFarmJobBehaviorBase
  from lp.registry.interfaces.pocket import PackagePublishingPocket
  from lp.soyuz.interfaces.processor import IProcessorFamilySet
@@ -31,8 +33,15 @@
          """Create a `BuildFarmJobBehaviorBase`."""
          if buildfarmjob is None:
              buildfarmjob = FakeBuildFarmJob()
++        else:
++            buildfarmjob = removeSecurityProxy(buildfarmjob)
          return BuildFarmJobBehaviorBase(buildfarmjob)
++    def _changeBuildFarmJobName(self, buildfarmjob):
++        """Manipulate `buildfarmjob` so that its `getName` changes."""
++        name = buildfarmjob.getName() + 'x'
++        removeSecurityProxy(buildfarmjob).getName = FakeMethod(result=name)
++
      def _makeBuild(self):
          """Create a `Build` object."""
          x86 = getUtility(IProcessorFamilySet).getByName('x86')
@@ -69,44 +78,72 @@
          self.assertRaises(
              AssertionError, behavior.extractBuildStatus, slave_status)
--    def test_getVerifiedBuild_success(self):
--        build = self._makeBuild()
--        behavior = self._makeBehavior()
--        raw_id = str(build.id)
--
--        self.assertEqual(build, behavior.getVerifiedBuild(raw_id))
--
--    def test_getVerifiedBuild_malformed(self):
--        behavior = self._makeBehavior()
--        self.assertRaises(CorruptBuildID, behavior.getVerifiedBuild, 'hi!')
--
--    def test_getVerifiedBuild_notfound(self):
--        build = self._makeBuild()
--        behavior = self._makeBehavior()
--        nonexistent_id = str(build.id + 99)
--
--        self.assertRaises(
--            CorruptBuildID, behavior.getVerifiedBuild, nonexistent_id)
--
--    def test_getVerifiedBuildQueue_success(self):
--        buildqueue = self._makeBuildQueue()
--        behavior = self._makeBehavior()
--        raw_id = str(buildqueue.id)
--
--        self.assertEqual(buildqueue, behavior.getVerifiedBuildQueue(raw_id))
--
--    def test_getVerifiedBuildQueue_malformed(self):
--        behavior = self._makeBehavior()
--        self.assertRaises(
--            CorruptBuildID, behavior.getVerifiedBuildQueue, 'bye!')
--
--    def test_getVerifiedBuildQueue_notfound(self):
--        buildqueue = self._makeBuildQueue()
--        behavior = self._makeBehavior()
--        nonexistent_id = str(buildqueue.id + 99)
--
--        self.assertRaises(
--            CorruptBuildID, behavior.getVerifiedBuildQueue, nonexistent_id)
++    def test_cookie_baseline(self):
++        buildfarmjob = self.factory.makeTranslationTemplatesBuildJob()
++
++        cookie = buildfarmjob.generateSlaveBuildCookie()
++
++        self.assertNotEqual(None, cookie)
++        self.assertNotEqual(0, len(cookie))
++        self.assertTrue(len(cookie) > 10)
++
++        self.assertEqual(cookie, buildfarmjob.generateSlaveBuildCookie())
++
++    def test_verifySlaveBuildCookie_good(self):
++        buildfarmjob = self.factory.makeTranslationTemplatesBuildJob()
++        behavior = self._makeBehavior(buildfarmjob)
++
++        cookie = buildfarmjob.generateSlaveBuildCookie()
++
++        # The correct cookie validates successfully.
++        behavior.verifySlaveBuildCookie(cookie)
++
++    def test_verifySlaveBuildCookie_bad(self):
++        buildfarmjob = self.factory.makeTranslationTemplatesBuildJob()
++        behavior = self._makeBehavior(buildfarmjob)
++
++        cookie = buildfarmjob.generateSlaveBuildCookie()
++
++        self.assertRaises(
++            CorruptBuildCookie,
++            behavior.verifySlaveBuildCookie,
++            cookie + 'x')
++
++    def test_cookie_includes_job_name(self):
++        # The cookie is a hash that includes the job's name.
++        buildfarmjob = self.factory.makeTranslationTemplatesBuildJob()
++        buildfarmjob = removeSecurityProxy(buildfarmjob)
++        behavior = self._makeBehavior(buildfarmjob)
++        cookie = buildfarmjob.generateSlaveBuildCookie()
++
++        self._changeBuildFarmJobName(buildfarmjob)
++
++        self.assertRaises(
++            CorruptBuildCookie,
++            behavior.verifySlaveBuildCookie,
++            cookie)
++
++        # However, the name is not included in plaintext so as not to
++        # provide a compromised slave a starting point for guessing
++        # another slave's cookie.
++        self.assertNotIn(buildfarmjob.getName(), cookie)
++
++    def test_cookie_includes_more_than_name(self):
++        # Two build jobs with the same name still get different cookies.
++        buildfarmjob1 = self.factory.makeTranslationTemplatesBuildJob()
++        buildfarmjob1 = removeSecurityProxy(buildfarmjob1)
++        buildfarmjob2 = self.factory.makeTranslationTemplatesBuildJob(
++            branch=buildfarmjob1.branch)
++        buildfarmjob2 = removeSecurityProxy(buildfarmjob2)
++
++        name_factory = FakeMethod(result="same-name")
++        buildfarmjob1.getName = name_factory
++        buildfarmjob2.getName = name_factory
++
++        self.assertEqual(buildfarmjob1.getName(), buildfarmjob2.getName())
++        self.assertNotEqual(
++            buildfarmjob1.generateSlaveBuildCookie(),
++            buildfarmjob2.generateSlaveBuildCookie())
  def test_suite():
 === modified file 'lib/lp/buildmaster/tests/test_manager.py'
 --- lib/lp/buildmaster/tests/test_manager.py	2010-04-09 00:00:26 +0000
 +++ lib/lp/buildmaster/tests/test_manager.py	2010-04-12 06:43:20 +0000
@@ -552,7 +552,7 @@
                 'http://localhost:58000/43/alsa-utils_1.0.9a-4ubuntu1.dsc',
                 '', '')),
               ('build',
--              ('11-2',
++              ('6358a89e2215e19b02bf91e2e4d009640fae5cf8',
                 'binarypackage', '0feca720e2c29dafb2c900713ba560e03b758711',
                 {'alsa-utils_1.0.9a-4ubuntu1.dsc':
                  '4e3961baf4f56fdbc95d0dd47f3c5bc275da8a33'},
 === modified file 'lib/lp/code/model/recipebuilder.py'
 --- lib/lp/code/model/recipebuilder.py	2010-03-31 02:15:04 +0000
 +++ lib/lp/code/model/recipebuilder.py	2010-04-12 06:43:20 +0000
@@ -96,13 +96,14 @@
          # results so we know we are referring to the right database object in
          # subsequent runs.
          buildid = "%s-%s" % (self.build.id, build_queue_id)
++        cookie = self.buildfarmjob.generateSlaveBuildCookie()
          chroot_sha1 = chroot.content.sha1
          logger.debug(
              "Initiating build %s on %s" % (buildid, self._builder.url))
          args = self._extraBuildArgs(distroarchseries)
          status, info = self._builder.slave.build(
--            buildid, "sourcepackagerecipe", chroot_sha1, {}, args)
++            cookie, "sourcepackagerecipe", chroot_sha1, {}, args)
          message = """%s (%s):
          ***** RESULT *****
          %s
@@ -156,12 +157,3 @@
              status['build_status'] in build_status_with_files):
              status['filemap'] = raw_slave_status[3]
              status['dependencies'] = raw_slave_status[4]
--
--
--    def getVerifiedBuild(self, raw_id):
--        """See `IBuildFarmJobBehavior`."""
--        # This type of job has a build that is of type BuildBase but not
--        # actually a Build.
--        return self._helpVerifyBuildIDComponent(
--            raw_id, SourcePackageRecipeBuild,
--            getUtility(ISourcePackageRecipeBuildSource).getById)
 === modified file 'lib/lp/code/model/sourcepackagerecipebuild.py'
 --- lib/lp/code/model/sourcepackagerecipebuild.py	2010-04-06 20:17:04 +0000
 +++ lib/lp/code/model/sourcepackagerecipebuild.py	2010-04-12 06:43:20 +0000
@@ -216,3 +216,6 @@
          store = IMasterStore(SourcePackageRecipeBuildJob)
          store.add(specific_job)
          return specific_job
++
++    def getName(self):
++        return "%s-%s" % (self.id, self.build_id)
 === modified file 'lib/lp/code/tests/test_recipebuilder.py'
 --- lib/lp/code/tests/test_recipebuilder.py	2010-04-06 22:33:44 +0000
 +++ lib/lp/code/tests/test_recipebuilder.py	2010-04-12 06:43:20 +0000
@@ -8,22 +8,25 @@
  import transaction
  import unittest
++from zope.security.proxy import removeSecurityProxy
++
  from canonical.testing import LaunchpadFunctionalLayer
  from canonical.launchpad.scripts.logger import BufferLogger
  from lp.buildmaster.interfaces.builder import CannotBuild
++from lp.buildmaster.interfaces.buildfarmjob import BuildFarmJobType
  from lp.buildmaster.interfaces.buildfarmjobbehavior import (
      IBuildFarmJobBehavior)
  from lp.buildmaster.manager import RecordingSlave
++from lp.buildmaster.model.buildqueue import BuildQueue
  from lp.code.model.recipebuilder import RecipeBuildBehavior
  from lp.code.model.sourcepackagerecipebuild import (
      SourcePackageRecipeBuild)
--from lp.soyuz.adapters.archivedependencies import get_sources_list_for_building
++from lp.soyuz.adapters.archivedependencies import (
++    get_sources_list_for_building)
  from lp.soyuz.model.processor import ProcessorFamilySet
  from lp.soyuz.tests.soyuzbuilddhelpers import (
      MockBuilder, OkSlave)
--from lp.soyuz.tests.test_binarypackagebuildbehavior import (
--    BaseTestVerifySlaveBuildID)
  from lp.soyuz.tests.test_publishing import (
      SoyuzTestPublisher,)
  from lp.testing import TestCaseWithFactory
@@ -63,6 +66,8 @@
          spb = self.factory.makeSourcePackageRecipeBuild(
              sourcepackage=sourcepackage, recipe=recipe, requester=requester)
          job = spb.makeJob()
++        job_id = removeSecurityProxy(job.job).id
++        BuildQueue(job_type=BuildFarmJobType.RECIPEBRANCHBUILD, job=job_id)
          job = IBuildFarmJobBehavior(job)
          return job
@@ -126,7 +131,8 @@
          self.assertEquals(["ensurepresent", "build"],
                            [call[0] for call in slave.calls])
          build_args = slave.calls[1][1]
--        self.assertEquals(build_args[0], "1-someid")
++        self.assertEquals(
++            build_args[0], job.buildfarmjob.generateSlaveBuildCookie())
          self.assertEquals(build_args[1], "sourcepackagerecipe")
          self.assertEquals(build_args[3], {})
          distroarchseries = job.build.distroseries.architectures[0]
@@ -151,26 +157,5 @@
              job.build, SourcePackageRecipeBuild.getById(job.build.id))
--class BaseTestCaseWithBuilds(TestCaseWithFactory):
--    def setUp(self):
--        super(BaseTestCaseWithBuilds, self).setUp()
--
--        self.builds = []
--
--        build = self.factory.makeSourcePackageRecipeBuild()
--        build.queueBuild()
--        self.builds.append(build)
--
--        build = self.factory.makeSourcePackageRecipeBuild()
--        build.queueBuild()
--        self.builds.append(build)
--
--
--class TestVerifySlaveBuildID(BaseTestVerifySlaveBuildID,
--                             BaseTestCaseWithBuilds):
--    """Run the tests from BaseTestVerifySlaveBuildID against recipe builds."""
--    pass
--
--
  def test_suite():
      return unittest.TestLoader().loadTestsFromName(__name__)
 === modified file 'lib/lp/soyuz/doc/buildd-slavescanner.txt'
 --- lib/lp/soyuz/doc/buildd-slavescanner.txt	2010-04-09 00:00:26 +0000
 +++ lib/lp/soyuz/doc/buildd-slavescanner.txt	2010-04-12 06:43:20 +0000
@@ -38,8 +38,15 @@
  Slave-scanner will deactivate a 'lost-building' builder that could not
  be aborted appropriately.
++    >>> from zope.security.proxy import removeSecurityProxy
++    >>> from lp.buildmaster.interfaces.builder import CorruptBuildCookie
++    >>> from lp.testing.fakemethod import FakeMethod
      >>> lostbuilding_builder = MockBuilder(
      ...     'Lost Building Broken Slave', LostBuildingBrokenSlave())
++    >>> behavior = removeSecurityProxy(
++    ...     lostbuilding_builder.current_build_behavior)
++    >>> behavior.verifySlaveBuildCookie = FakeMethod(
++    ...     failure=CorruptBuildCookie("Hopelessly lost!"))
      >>> lostbuilding_builder.updateStatus(logger)
      Aborting slave
@@ -80,7 +87,6 @@
  To make testing easier we provide a convenience function to put a BuildQueue
  object into a preset fixed state:
--    >>> from zope.security.proxy import removeSecurityProxy
      >>> default_start = datetime.datetime(2005, 1, 1, 8, 0, 0, tzinfo=UTC)
      >>> def setupBuildQueue(build_queue, builder):
      ...      build_queue.builder = builder
 === modified file 'lib/lp/soyuz/model/binarypackagebuildbehavior.py'
 --- lib/lp/soyuz/model/binarypackagebuildbehavior.py	2010-04-08 14:48:02 +0000
 +++ lib/lp/soyuz/model/binarypackagebuildbehavior.py	2010-04-12 06:43:20 +0000
@@ -65,13 +65,14 @@
          # results so we know we are referring to the right database object in
          # subsequent runs.
          buildid = "%s-%s" % (self.build.id, build_queue_id)
++        cookie = self.buildfarmjob.generateSlaveBuildCookie()
          chroot_sha1 = chroot.content.sha1
          logger.debug(
              "Initiating build %s on %s" % (buildid, self._builder.url))
          args = self._extraBuildArgs(self.build)
          status, info = self._builder.slave.build(
--            buildid, "binarypackage", chroot_sha1, filemap, args)
++            cookie, "binarypackage", chroot_sha1, filemap, args)
          message = """%s (%s):
          ***** RESULT *****
          %s
@@ -122,10 +123,11 @@
          # This should already have been checked earlier, but just check again
          # here in case of programmer errors.
--        reason = check_upload_to_pocket(build.archive, build.distroseries, build.pocket)
++        reason = check_upload_to_pocket(
++            build.archive, build.distroseries, build.pocket)
          assert reason is None, (
                  "%s (%s) can not be built for pocket %s: invalid pocket due "
--                "to the series status of %s." %
++                "to the series status of %s." %
                      (build.title, build.id, build.pocket.name,
                       build.distroseries.name))
 === modified file 'lib/lp/soyuz/tests/soyuzbuilddhelpers.py'
 --- lib/lp/soyuz/tests/soyuzbuilddhelpers.py	2010-04-03 03:49:52 +0000
 +++ lib/lp/soyuz/tests/soyuzbuilddhelpers.py	2010-04-12 06:43:20 +0000
@@ -52,8 +52,9 @@
      def slaveStatusSentence(self):
          return self.slave.status()
--    def verifySlaveBuildID(self, slave_build_id):
--        return self.current_build_behavior.verifySlaveBuildID(slave_build_id)
++    def verifySlaveBuildCookie(self, slave_build_id):
++        return self.current_build_behavior.verifySlaveBuildCookie(
++            slave_build_id)
      def cleanSlave(self):
          print 'Cleaning slave'
 === removed file 'lib/lp/soyuz/tests/test_binarypackagebuildbehavior.py'
 --- lib/lp/soyuz/tests/test_binarypackagebuildbehavior.py	2010-01-21 05:03:16 +0000
 +++ lib/lp/soyuz/tests/test_binarypackagebuildbehavior.py	1970-01-01 00:00:00 +0000
@@ -1,66 +0,0 @@
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
--# GNU Affero General Public License version 3 (see the file LICENSE).
--
--"""Test BinaryPackageBuildBehavior functionality."""
--
--__metaclass__ = type
--
--import unittest
--
--from canonical.testing import LaunchpadZopelessLayer
--from lp.buildmaster.interfaces.buildfarmjobbehavior import (
--    IBuildFarmJobBehavior)
--from lp.buildmaster.interfaces.builder import CorruptBuildID
--from lp.soyuz.tests.test_build import BaseTestCaseWithThreeBuilds
--
--
--class BaseTestVerifySlaveBuildID:
--
--    layer = LaunchpadZopelessLayer
--
--    def setUp(self):
--        super(BaseTestVerifySlaveBuildID, self).setUp()
--        self.build = self.builds[0]
--        self.other_build = self.builds[1]
--        self.builder = self.factory.makeBuilder(name='builder')
--
--    def test_consistent_build_id(self):
--        # verifySlaveBuildID returns None if the build and buildqueue
--        # ID pair reported by the slave are associated in the database.
--        buildfarmjob = self.build.buildqueue_record.specific_job
--        behavior = IBuildFarmJobBehavior(buildfarmjob)
--        behavior.verifySlaveBuildID(
--            '%d-%d' % (self.build.id, self.build.buildqueue_record.id))
--
--    def test_mismatched_build_id(self):
--        # verifySlaveBuildID returns an error if the build and
--        # buildqueue exist, but are not associated in the database.
--        buildfarmjob = self.build.buildqueue_record.specific_job
--        behavior = IBuildFarmJobBehavior(buildfarmjob)
--        self.assertRaises(
--            CorruptBuildID, behavior.verifySlaveBuildID,
--            '%d-%d' % (self.other_build.id, self.build.buildqueue_record.id))
--
--    def test_build_id_without_separator(self):
--        # verifySlaveBuildID returns an error if the build ID does not
--        # contain a build and build queue ID separated by a hyphen.
--        buildfarmjob = self.build.buildqueue_record.specific_job
--        behavior = IBuildFarmJobBehavior(buildfarmjob)
--        self.assertRaises(
--            CorruptBuildID, behavior.verifySlaveBuildID, 'foo')
--
--    def test_build_id_with_missing_build(self):
--        # verifySlaveBuildID returns an error if either the build or
--        # build queue specified do not exist.
--        buildfarmjob = self.build.buildqueue_record.specific_job
--        behavior = IBuildFarmJobBehavior(buildfarmjob)
--        self.assertRaises(
--            CorruptBuildID, behavior.verifySlaveBuildID, '98-99')
--
--
--class TestVerifySlaveBuildID(BaseTestVerifySlaveBuildID,
--                             BaseTestCaseWithThreeBuilds):
--    pass
--
--def test_suite():
--    return unittest.TestLoader().loadTestsFromName(__name__)
 === modified file 'lib/lp/translations/model/translationtemplatesbuildbehavior.py'
 --- lib/lp/translations/model/translationtemplatesbuildbehavior.py	2010-04-08 15:09:15 +0000
 +++ lib/lp/translations/model/translationtemplatesbuildbehavior.py	2010-04-12 06:43:20 +0000
@@ -17,7 +17,6 @@
  from canonical.launchpad.interfaces import ILaunchpadCelebrities
--from lp.buildmaster.interfaces.builder import CorruptBuildID
  from lp.buildmaster.interfaces.buildfarmjobbehavior import (
      IBuildFarmJobBehavior)
  from lp.buildmaster.model.buildfarmjobbehavior import (
@@ -42,28 +41,13 @@
          chroot = self._getChroot()
          chroot_sha1 = chroot.content.sha1
          self._builder.slave.cacheFile(logger, chroot)
--        buildid = self.buildfarmjob.getName()
++        cookie = self.buildfarmjob.generateSlaveBuildCookie()
          args = self.buildfarmjob.metadata
          filemap = {}
          self._builder.slave.build(
--            buildid, self.build_type, chroot_sha1, filemap, args)
--
--    def verifySlaveBuildID(self, slave_build_id):
--        """See `IBuildFarmJobBehavior`."""
--        try:
--            branch_name, queue_item_id = slave_build_id.rsplit('-', 1)
--        except ValueError:
--            raise CorruptBuildID(
--                "Malformed translation templates build id: '%s'" % (
--                    slave_build_id))
--
--        buildqueue = self.getVerifiedBuildQueue(queue_item_id)
--        if buildqueue.job != self.buildfarmjob.job:
--            raise CorruptBuildID(
--                "ID mismatch for translation templates build '%s'" % (
--                    slave_build_id))
++            cookie, self.build_type, chroot_sha1, filemap, args)
      def _getChroot(self):
          ubuntu = getUtility(ILaunchpadCelebrities).ubuntu
@@ -127,7 +111,8 @@
                  logger.error("Build produced no tarball.")
              else:
                  logger.debug("Uploading translation templates tarball.")
--                self._uploadTarball(queue_item.specific_job.branch, tarball, logger)
++                self._uploadTarball(
++                    queue_item.specific_job.branch, tarball, logger)
                  logger.debug("Upload complete.")
          queue_item.builder.cleanSlave()
 === modified file 'lib/lp/translations/tests/test_translationtemplatesbuildbehavior.py'
 --- lib/lp/translations/tests/test_translationtemplatesbuildbehavior.py	2010-04-08 15:09:15 +0000
 +++ lib/lp/translations/tests/test_translationtemplatesbuildbehavior.py	2010-04-12 06:43:20 +0000
@@ -20,7 +20,6 @@
  from lp.buildmaster.interfaces.buildbase import BuildStatus
  from lp.buildmaster.interfaces.buildfarmjobbehavior import (
      IBuildFarmJobBehavior)
--from lp.buildmaster.interfaces.builder import CorruptBuildID
  from lp.buildmaster.interfaces.buildqueue import IBuildQueueSet
  from lp.testing import TestCaseWithFactory
  from lp.testing.fakemethod import FakeMethod
@@ -198,38 +197,6 @@
          self.assertEqual(1, builder.cleanSlave.call_count)
          self.assertEqual(0, behavior._uploadTarball.call_count)
--    def test_verifySlaveBuildID_success(self):
--        # TranslationTemplatesBuildJob.getName generates slave build ids
--        # that TranslationTemplatesBuildBehavior.verifySlaveBuildID
--        # accepts.
--        behavior = self.makeBehavior()
--        buildfarmjob = behavior.buildfarmjob
--        job = buildfarmjob.job
--
--        # The test is that this not raise CorruptBuildID (or anything
--        # else, for that matter).
--        behavior.verifySlaveBuildID(behavior.buildfarmjob.getName())
--
--    def test_verifySlaveBuildID_handles_dashes(self):
--        # TranslationTemplatesBuildBehavior.verifySlaveBuildID can deal
--        # with dashes in branch names.
--        behavior = self.makeBehavior()
--        buildfarmjob = behavior.buildfarmjob
--        job = buildfarmjob.job
--        buildfarmjob.branch.name = 'x-y-z--'
--
--        # The test is that this not raise CorruptBuildID (or anything
--        # else, for that matter).
--        behavior.verifySlaveBuildID(behavior.buildfarmjob.getName())
--
--    def test_verifySlaveBuildID_malformed(self):
--        behavior = self.makeBehavior()
--        self.assertRaises(CorruptBuildID, behavior.verifySlaveBuildID, 'huh?')
--
--    def test_verifySlaveBuildID_notfound(self):
--        behavior = self.makeBehavior()
--        self.assertRaises(CorruptBuildID, behavior.verifySlaveBuildID, '1-1')
--
  class TestTTBuildBehaviorTranslationsQueue(
          TestCaseWithFactory, MakeBehaviorMixin):