use https with apt wherever possible

config/container/Dockerfile

@@ -10,9 +10,9 @@ ENV DEBIAN_FRONTEND=noninteractive \
 
 ADD scripts/ /usr/local/bin/
 
-## Install packages from packages.list with retry
-ADD config/container/sources.list /etc/apt/sources.list
-ADD config/container/packages.list /etc/apt/packages.list
+## Download, verify, and install packages against stored lists/hashes via https
+ADD config/container/sources.list /etc/apt/sources.list.new
+ADD config/container/packages.list /etc/apt/packages.list.new
 ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt
 ADD config/container/apt.conf /etc/apt/apt.conf
 RUN apt-install

config/container/sources.list

@@ -1,6 +1,6 @@
-deb http://deb.debian.org/debian buster main
-deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main
-deb http://security.debian.org/debian-security buster/updates main
-deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
-deb http://deb.debian.org/debian buster-updates main
-deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main
+deb https://deb.debian.org/debian buster main
+deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster main
+deb https://security.debian.org/debian-security buster/updates main
+deb https://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main
+deb https://deb.debian.org/debian buster-updates main
+deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main

scripts/apt-install

@@ -1,8 +1,14 @@
 #!/usr/bin/env bash
 set -e;
 
+# Get latest apt-transport-https and ca-certificates for safer https apt
 apt-get update
-until apt-get install --download-only -y $(cat /etc/apt/packages.list); do
+apt-get install -y apt-transport-https ca-certificates
+
+mv /etc/apt/sources.list{.new,}
+mv /etc/apt/packages.list{.new,}
+apt-get update
+until apt-get install --download-only --reinstall -y $(cat /etc/apt/packages.list); do
     echo "apt install failed. Likely throttled. Retrying in 10 mins...";
     sleep 600;
 done;
@@ -18,4 +24,4 @@ diff /etc/apt/package-hashes{,-compare}.txt
 
 apt-get install -y $(cat /etc/apt/packages.list)
 
-rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*;
+rm -rf /var/ache/apt/archives/* /var/lib/apt/lists/* /tmp/* /var/tmp/*;

scripts/update-packages

@@ -5,19 +5,19 @@ set -e
 cat /etc/apt/packages-old.list | sed 's/=.*//g' \
 	> /etc/apt/packages.list
 
-snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z")
-cat <<-EOF > /etc/apt/sources.list
-deb http://deb.debian.org/debian buster main
-deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster main
-deb http://security.debian.org/debian-security buster/updates main
-deb http://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main
-deb http://deb.debian.org/debian buster-updates main
-deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main
-EOF
-
 apt-get update
 apt-get install -y --download-only $(cat /etc/apt/packages.list)
 
+snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z")
+cat <<-EOF > /etc/apt/sources.list
+deb https://deb.debian.org/debian buster main
+deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster main
+deb https://security.debian.org/debian-security buster/updates main
+deb https://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main
+deb https://deb.debian.org/debian buster-updates main
+deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main
+EOF
+
 (
 	cd /var/cache/apt/archives \
 		&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \