use https with apt wherever possible

This commit is contained in:
Lance Vick 2020-10-16 02:44:26 -07:00
parent 73d0e657fa
commit c8a07da24b
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
4 changed files with 27 additions and 21 deletions

View File

@ -10,9 +10,9 @@ ENV DEBIAN_FRONTEND=noninteractive \
ADD scripts/ /usr/local/bin/
## Install packages from packages.list with retry
ADD config/container/sources.list /etc/apt/sources.list
ADD config/container/packages.list /etc/apt/packages.list
## Download, verify, and install packages against stored lists/hashes via https
ADD config/container/sources.list /etc/apt/sources.list.new
ADD config/container/packages.list /etc/apt/packages.list.new
ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt
ADD config/container/apt.conf /etc/apt/apt.conf
RUN apt-install

View File

@ -1,6 +1,6 @@
deb http://deb.debian.org/debian buster main
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main
deb http://security.debian.org/debian-security buster/updates main
deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
deb http://deb.debian.org/debian buster-updates main
deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main
deb https://deb.debian.org/debian buster main
deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster main
deb https://security.debian.org/debian-security buster/updates main
deb https://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
deb https://deb.debian.org/debian buster-updates main
deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main

View File

@ -1,8 +1,14 @@
#!/usr/bin/env bash
set -e;
# Get latest apt-transport-https and ca-certificates for safer https apt
apt-get update
until apt-get install --download-only -y $(cat /etc/apt/packages.list); do
apt-get install -y apt-transport-https ca-certificates
mv /etc/apt/sources.list{.new,}
mv /etc/apt/packages.list{.new,}
apt-get update
until apt-get install --download-only --reinstall -y $(cat /etc/apt/packages.list); do
echo "apt install failed. Likely throttled. Retrying in 10 mins...";
sleep 600;
done;
@ -18,4 +24,4 @@ diff /etc/apt/package-hashes{,-compare}.txt
apt-get install -y $(cat /etc/apt/packages.list)
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*;
rm -rf /var/ache/apt/archives/* /var/lib/apt/lists/* /tmp/* /var/tmp/*;

View File

@ -5,19 +5,19 @@ set -e
cat /etc/apt/packages-old.list | sed 's/=.*//g' \
> /etc/apt/packages.list
snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z")
cat <<-EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian buster main
deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster main
deb http://security.debian.org/debian-security buster/updates main
deb http://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main
deb http://deb.debian.org/debian buster-updates main
deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main
EOF
apt-get update
apt-get install -y --download-only $(cat /etc/apt/packages.list)
snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z")
cat <<-EOF > /etc/apt/sources.list
deb https://deb.debian.org/debian buster main
deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster main
deb https://security.debian.org/debian-security buster/updates main
deb https://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main
deb https://deb.debian.org/debian buster-updates main
deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main
EOF
(
cd /var/cache/apt/archives \
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \