download and hash verify all packages before install
This commit is contained in:
parent
249e93bcce
commit
73d0e657fa
|
@ -13,6 +13,7 @@ ADD scripts/ /usr/local/bin/
|
|||
## Install packages from packages.list with retry
|
||||
ADD config/container/sources.list /etc/apt/sources.list
|
||||
ADD config/container/packages.list /etc/apt/packages.list
|
||||
ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt
|
||||
ADD config/container/apt.conf /etc/apt/apt.conf
|
||||
RUN apt-install
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
01e99d68427722e64c603d45f00063c303b02afb53d85c8d1476deca70db64c6 libreadline7_7.0-5_amd64.deb
|
||||
0226c5853f5e48d7e99796c2e6332591383e9c337ac588e1b689f537abd0a891 libssh2-1_1.8.0-2.1_amd64.deb
|
||||
02f795889390fa0e1f29c6ecdd4a30cd0aae39c0c6b1379410055404b0897c66 libx11-data_2%3a1.6.7-1+deb10u1_all.deb
|
||||
03a133833154325c731291c8a87daef5962dcfb75dee7cdb11f7fb923de2db82 openssl_1.1.1d-0+deb10u3_amd64.deb
|
||||
042967b8267ee537ed9a1bf012533622847aab433362e3b57c9108a53bfcb99a libkrb5-3_1.17-3_amd64.deb
|
||||
05e64681a0c3037fa71c94c083a8aabb6eb5f40e974c4ec548e0376635cffeb0 gpg-wks-server_2.2.12-1+deb10u1_amd64.deb
|
||||
05e90f94363055cf27cd88b7968820645180d37a649a93cf5d7ea6f3c7fe973e gcc-8_8.3.0-6_amd64.deb
|
||||
|
@ -78,6 +79,7 @@ a65ea1c2a2c32995ea5337dc769ea2de503dd65e0ee2cde345d565ba06575d0c file_1%3a5.35-4
|
|||
a73b05c10399636a7c7bff266205de05631dc4af502bfb441cbbc6af0a7deb2a libmpc3_1.1.0-1_amd64.deb
|
||||
a7857b726c3e0d16cda2fbb9020d42e024a3160d54ef858f58578612276683e8 libxau6_1%3a1.0.8-1+b2_amd64.deb
|
||||
ae756853eff06749370f37f717339098d7ead8eb40d8eca9050c4dd8d64be33a g++_4%3a8.3.0-1_amd64.deb
|
||||
b293309a892730986e779aea48e97ea94cd58f34f07fefbd432c210ee4a427e2 libssl1.1_1.1.1d-0+deb10u3_amd64.deb
|
||||
b3392a29de0cea29f9e8e07793d1f03fcb84a3ca25b7471e2db0e0fa93ffa566 libldap-common_2.4.47+dfsg-3+deb10u2_all.deb
|
||||
b582f4bc549877d59254318feaaf1354020d695cfe9b9e6aab0aa26b65c29071 libubsan1_8.3.0-6_amd64.deb
|
||||
b9db9483510589d939ee897b8b2b15661d243c8fac13dfa18e6daa10be5d0a2a liblsan0_8.3.0-6_amd64.deb
|
||||
|
|
|
@ -1,119 +1,121 @@
|
|||
patch=2.7.6-3+deb10u1
|
||||
libreadline7=7.0-5
|
||||
libssh2-1=1.8.0-2.1
|
||||
libx11-data=2%3a1.6.7-1+deb10u1
|
||||
libkrb5-3=1.17-3
|
||||
gpg-wks-server=2.2.12-1+deb10u1
|
||||
gcc-8=8.3.0-6
|
||||
libbsd0=0.9.1-2
|
||||
perl=5.28.1-6+deb10u1
|
||||
libkeyutils1=1.6-6
|
||||
libperl5.28=5.28.1-6+deb10u1
|
||||
libtsan0=8.3.0-6
|
||||
libmagic-mgc=1%3a5.35-4+deb10u1
|
||||
openssh-client=1%3a7.9p1-10+deb10u2
|
||||
readline-common=7.0-5
|
||||
libpcre2-8-0=10.32-5
|
||||
libmagic1=1%3a5.35-4+deb10u1
|
||||
libdpkg-perl=1.19.7
|
||||
make=4.2.1-1.2
|
||||
libncurses6=6.1+20181013-2+deb10u2
|
||||
xauth=1%3a1.0.10-1
|
||||
libpsl5=0.20.2-2
|
||||
libksba8=1.3.5-2
|
||||
lsb-base=10.2019051400
|
||||
libgpm2=1.20.7-5
|
||||
libxmuu1=2%3a1.1.2-2+b3
|
||||
libalgorithm-diff-xs-perl=0.04-5+b1
|
||||
git-man=1%3a2.20.1-2+deb10u3
|
||||
gnupg=2.2.12-1+deb10u1
|
||||
wget=1.20.1-1.1
|
||||
build-essential=12.6
|
||||
gpg-wks-client=2.2.12-1+deb10u1
|
||||
perl-base=5.28.1-6+deb10u1
|
||||
libc6-dev=2.28-10
|
||||
libgssapi-krb5-2=1.17-3
|
||||
libsasl2-2=2.1.27+dfsg-1+deb10u1
|
||||
dpkg-dev=1.19.7
|
||||
git=1%3a2.20.1-2+deb10u3
|
||||
gpgsm=2.2.12-1+deb10u1
|
||||
bzip2=1.0.6-9.2~deb10u1
|
||||
librtmp1=2.4+20151223.gitfa8646d.1-2
|
||||
less=487-0.1+b1
|
||||
libcc1-0=8.3.0-6
|
||||
libgdbm-compat4=1.18.1-4
|
||||
liberror-perl=0.17027-2
|
||||
perl-modules-5.28=5.28.1-6+deb10u1
|
||||
manpages=4.16-2
|
||||
libcurl3-gnutls=7.64.0-4+deb10u1
|
||||
cpp-8=8.3.0-6
|
||||
unzip=6.0-23+deb10u1
|
||||
libnghttp2-14=1.36.0-2+deb10u1
|
||||
gpg-agent=2.2.12-1+deb10u1
|
||||
libpopt0=1.16-12
|
||||
libxext6=2%3a1.3.3-1+b2
|
||||
libmpx2=8.3.0-6
|
||||
libquadmath0=8.3.0-6
|
||||
libfakeroot=1.23-1
|
||||
gnupg-utils=2.2.12-1+deb10u1
|
||||
libsasl2-modules=2.1.27+dfsg-1+deb10u1
|
||||
ca-certificates=20200601~deb10u1
|
||||
libstdc++-8-dev=8.3.0-6
|
||||
rsync=3.1.3-6
|
||||
libitm1=8.3.0-6
|
||||
libalgorithm-merge-perl=0.08-3
|
||||
libxcb1=1.13.1-2
|
||||
manpages-dev=4.16-2
|
||||
dirmngr=2.2.12-1+deb10u1
|
||||
libc-dev-bin=2.28-10
|
||||
libgomp1=8.3.0-6
|
||||
publicsuffix=20190415.1030-1
|
||||
libassuan0=2.5.2-1
|
||||
libnpth0=1.6-1
|
||||
base-files=10.3+deb10u6
|
||||
bc=1.07.1-2+b1
|
||||
binutils-common=2.31.1-16
|
||||
gpg=2.2.12-1+deb10u1
|
||||
krb5-locales=1.17-3
|
||||
libgcc-8-dev=8.3.0-6
|
||||
file=1%3a5.35-4+deb10u1
|
||||
libmpc3=1.1.0-1
|
||||
libxau6=1%3a1.0.8-1+b2
|
||||
g++=4%3a8.3.0-1
|
||||
libldap-common=2.4.47+dfsg-3+deb10u2
|
||||
libubsan1=8.3.0-6
|
||||
liblsan0=8.3.0-6
|
||||
libk5crypto3=1.17-3
|
||||
libbinutils=2.31.1-16
|
||||
netbase=5.6
|
||||
libgnutls30=3.6.7-4+deb10u5
|
||||
libcurl4=7.64.0-4+deb10u1
|
||||
binutils-x86-64-linux-gnu=2.31.1-16
|
||||
binutils=2.31.1-16
|
||||
libalgorithm-diff-perl=1.19.03-2
|
||||
gpgconf=2.2.12-1+deb10u1
|
||||
gcc=4%3a8.3.0-1
|
||||
libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
|
||||
libfile-fcntllock-perl=0.22-3+b5
|
||||
libedit2=3.1-20181209-1
|
||||
libmpfr6=4.0.2-1
|
||||
libgdbm6=1.18.1-4
|
||||
g++-8=8.3.0-6
|
||||
libasan5=8.3.0-6
|
||||
libisl19=0.20-2
|
||||
libexpat1=2.2.6-2+deb10u1
|
||||
linux-libc-dev=4.19.146-1
|
||||
build-essential=12.6
|
||||
bzip2=1.0.6-9.2~deb10u1
|
||||
ca-certificates=20200601~deb10u1
|
||||
cpio=2.12+dfsg-9
|
||||
liblocale-gettext-perl=1.07-3+b4
|
||||
xz-utils=5.2.4-1
|
||||
libkrb5support0=1.17-3
|
||||
libldap-2.4-2=2.4.47+dfsg-3+deb10u2
|
||||
cpp-8=8.3.0-6
|
||||
cpp=4:8.3.0-1
|
||||
curl=7.64.0-4+deb10u1
|
||||
dirmngr=2.2.12-1+deb10u1
|
||||
dpkg-dev=1.19.7
|
||||
fakeroot=1.23-1
|
||||
file=1:5.35-4+deb10u1
|
||||
g++-8=8.3.0-6
|
||||
g++=4:8.3.0-1
|
||||
gcc-8=8.3.0-6
|
||||
gcc=4:8.3.0-1
|
||||
git-man=1:2.20.1-2+deb10u3
|
||||
git=1:2.20.1-2+deb10u3
|
||||
gnupg-l10n=2.2.12-1+deb10u1
|
||||
cpp=4%3a8.3.0-1
|
||||
libxdmcp6=1%3a1.1.2-3
|
||||
base-files=10.3+deb10u6
|
||||
pinentry-curses=1.1.0-2
|
||||
gnupg-utils=2.2.12-1+deb10u1
|
||||
gnupg=2.2.12-1+deb10u1
|
||||
gpg-agent=2.2.12-1+deb10u1
|
||||
gpg-wks-client=2.2.12-1+deb10u1
|
||||
gpg-wks-server=2.2.12-1+deb10u1
|
||||
gpg=2.2.12-1+deb10u1
|
||||
gpgconf=2.2.12-1+deb10u1
|
||||
gpgsm=2.2.12-1+deb10u1
|
||||
krb5-locales=1.17-3
|
||||
less=487-0.1+b1
|
||||
libalgorithm-diff-perl=1.19.03-2
|
||||
libalgorithm-diff-xs-perl=0.04-5+b1
|
||||
libalgorithm-merge-perl=0.08-3
|
||||
libasan5=8.3.0-6
|
||||
libassuan0=2.5.2-1
|
||||
libatomic1=8.3.0-6
|
||||
bc=1.07.1-2+b1
|
||||
libx11-6=2%3a1.6.7-1+deb10u1
|
||||
libbinutils=2.31.1-16
|
||||
libbsd0=0.9.1-2
|
||||
libc-dev-bin=2.28-10
|
||||
libc6-dev=2.28-10
|
||||
libcc1-0=8.3.0-6
|
||||
libcurl3-gnutls=7.64.0-4+deb10u1
|
||||
libcurl4=7.64.0-4+deb10u1
|
||||
libdpkg-perl=1.19.7
|
||||
libedit2=3.1-20181209-1
|
||||
liberror-perl=0.17027-2
|
||||
libexpat1=2.2.6-2+deb10u1
|
||||
libfakeroot=1.23-1
|
||||
libfile-fcntllock-perl=0.22-3+b5
|
||||
libgcc-8-dev=8.3.0-6
|
||||
libgdbm-compat4=1.18.1-4
|
||||
libgdbm6=1.18.1-4
|
||||
libgnutls30=3.6.7-4+deb10u5
|
||||
libgomp1=8.3.0-6
|
||||
libgpm2=1.20.7-5
|
||||
libgssapi-krb5-2=1.17-3
|
||||
libisl19=0.20-2
|
||||
libitm1=8.3.0-6
|
||||
libk5crypto3=1.17-3
|
||||
libkeyutils1=1.6-6
|
||||
libkrb5-3=1.17-3
|
||||
libkrb5support0=1.17-3
|
||||
libksba8=1.3.5-2
|
||||
libldap-2.4-2=2.4.47+dfsg-3+deb10u2
|
||||
libldap-common=2.4.47+dfsg-3+deb10u2
|
||||
liblocale-gettext-perl=1.07-3+b4
|
||||
liblsan0=8.3.0-6
|
||||
libmagic-mgc=1:5.35-4+deb10u1
|
||||
libmagic1=1:5.35-4+deb10u1
|
||||
libmpc3=1.1.0-1
|
||||
libmpfr6=4.0.2-1
|
||||
libmpx2=8.3.0-6
|
||||
libncurses6=6.1+20181013-2+deb10u2
|
||||
libnghttp2-14=1.36.0-2+deb10u1
|
||||
libnpth0=1.6-1
|
||||
libpcre2-8-0=10.32-5
|
||||
libperl5.28=5.28.1-6+deb10u1
|
||||
libpopt0=1.16-12
|
||||
libpsl5=0.20.2-2
|
||||
libquadmath0=8.3.0-6
|
||||
libreadline7=7.0-5
|
||||
librtmp1=2.4+20151223.gitfa8646d.1-2
|
||||
libsasl2-2=2.1.27+dfsg-1+deb10u1
|
||||
libsasl2-modules-db=2.1.27+dfsg-1+deb10u1
|
||||
libsasl2-modules=2.1.27+dfsg-1+deb10u1
|
||||
libsqlite3-0=3.27.2-3
|
||||
libssh2-1=1.8.0-2.1
|
||||
libssl1.1=1.1.1d-0+deb10u3
|
||||
libstdc++-8-dev=8.3.0-6
|
||||
libtsan0=8.3.0-6
|
||||
libubsan1=8.3.0-6
|
||||
libx11-6=2:1.6.7-1+deb10u1
|
||||
libx11-data=2:1.6.7-1+deb10u1
|
||||
libxau6=1:1.0.8-1+b2
|
||||
libxcb1=1.13.1-2
|
||||
libxdmcp6=1:1.1.2-3
|
||||
libxext6=2:1.3.3-1+b2
|
||||
libxmuu1=2:1.1.2-2+b3
|
||||
linux-libc-dev=4.19.146-1
|
||||
lsb-base=10.2019051400
|
||||
make=4.2.1-1.2
|
||||
manpages-dev=4.16-2
|
||||
manpages=4.16-2
|
||||
netbase=5.6
|
||||
openssh-client=1:7.9p1-10+deb10u2
|
||||
openssl=1.1.1d-0+deb10u3
|
||||
patch=2.7.6-3+deb10u1
|
||||
perl-base=5.28.1-6+deb10u1
|
||||
perl-modules-5.28=5.28.1-6+deb10u1
|
||||
perl=5.28.1-6+deb10u1
|
||||
pinentry-curses=1.1.0-2
|
||||
publicsuffix=20190415.1030-1
|
||||
readline-common=7.0-5
|
||||
rsync=3.1.3-6
|
||||
unzip=6.0-23+deb10u1
|
||||
wget=1.20.1-1.1
|
||||
xauth=1:1.0.10-1
|
||||
xz-utils=5.2.4-1
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
deb http://deb.debian.org/debian buster main
|
||||
deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster main
|
||||
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main
|
||||
deb http://security.debian.org/debian-security buster/updates main
|
||||
deb http://snapshot.debian.org/archive/debian-security/20201015T000000Z buster/updates main
|
||||
deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
|
||||
deb http://deb.debian.org/debian buster-updates main
|
||||
deb http://snapshot.debian.org/archive/debian/20201015T000000Z buster-updates main
|
||||
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main
|
||||
|
|
|
@ -2,9 +2,20 @@
|
|||
set -e;
|
||||
|
||||
apt-get update
|
||||
until apt-get install -y $(cat /etc/apt/packages.list); do
|
||||
until apt-get install --download-only -y $(cat /etc/apt/packages.list); do
|
||||
echo "apt install failed. Likely throttled. Retrying in 10 mins...";
|
||||
sleep 600;
|
||||
done;
|
||||
|
||||
(
|
||||
cd /var/cache/apt/archives \
|
||||
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
|
||||
| sed 's/.\///g' \
|
||||
| LC_ALL=C sort
|
||||
) > /etc/apt/package-hashes-compare.txt
|
||||
|
||||
diff /etc/apt/package-hashes{,-compare}.txt
|
||||
|
||||
apt-get install -y $(cat /etc/apt/packages.list)
|
||||
|
||||
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*;
|
||||
|
|
|
@ -16,17 +16,18 @@ deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates ma
|
|||
EOF
|
||||
|
||||
apt-get update
|
||||
apt install -y openssl
|
||||
apt-get install -y --download-only $(cat /etc/apt/packages.list)
|
||||
|
||||
(
|
||||
cd /var/cache/apt/archives \
|
||||
&& find . -type f \( -iname \*.deb \) -exec openssl sha256 -r {} \; \
|
||||
| sed 's/ \*.\// /g' \
|
||||
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
|
||||
| sed 's/.\///g' \
|
||||
| LC_ALL=C sort
|
||||
) > /etc/apt/package-hashes.txt
|
||||
|
||||
cat /etc/apt/package-hashes.txt \
|
||||
| awk '{ print $2 }' \
|
||||
| sed -e 's/_[a-z0-9]\+\.deb//g' -e 's/_/=/g' \
|
||||
> /etc/apt/packages.list
|
||||
cp /dev/null /etc/apt/packages.list
|
||||
for deb in /var/cache/apt/archives/*.deb; do
|
||||
package=$(dpkg-deb -f $deb Package);
|
||||
version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g');
|
||||
echo "${package}=${version}" >> /etc/apt/packages.list;
|
||||
done
|
||||
|
|
Loading…
Reference in New Issue