From c8a07da24b17ad2a64b958f4b4645fa8439b9f0d Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 16 Oct 2020 02:44:26 -0700 Subject: [PATCH] use https with apt wherever possible --- config/container/Dockerfile | 6 +++--- config/container/sources.list | 12 ++++++------ scripts/apt-install | 10 ++++++++-- scripts/update-packages | 20 ++++++++++---------- 4 files changed, 27 insertions(+), 21 deletions(-) diff --git a/config/container/Dockerfile b/config/container/Dockerfile index 39684d3..d34bc2d 100644 --- a/config/container/Dockerfile +++ b/config/container/Dockerfile @@ -10,9 +10,9 @@ ENV DEBIAN_FRONTEND=noninteractive \ ADD scripts/ /usr/local/bin/ -## Install packages from packages.list with retry -ADD config/container/sources.list /etc/apt/sources.list -ADD config/container/packages.list /etc/apt/packages.list +## Download, verify, and install packages against stored lists/hashes via https +ADD config/container/sources.list /etc/apt/sources.list.new +ADD config/container/packages.list /etc/apt/packages.list.new ADD config/container/package-hashes.txt /etc/apt/package-hashes.txt ADD config/container/apt.conf /etc/apt/apt.conf RUN apt-install diff --git a/config/container/sources.list b/config/container/sources.list index df86716..c2275ea 100644 --- a/config/container/sources.list +++ b/config/container/sources.list @@ -1,6 +1,6 @@ -deb http://deb.debian.org/debian buster main -deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster main -deb http://security.debian.org/debian-security buster/updates main -deb http://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main -deb http://deb.debian.org/debian buster-updates main -deb http://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main +deb https://deb.debian.org/debian buster main +deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster main +deb https://security.debian.org/debian-security buster/updates main +deb https://snapshot.debian.org/archive/debian-security/20201016T000000Z buster/updates main +deb https://deb.debian.org/debian buster-updates main +deb https://snapshot.debian.org/archive/debian/20201016T000000Z buster-updates main diff --git a/scripts/apt-install b/scripts/apt-install index 1f1fc4a..1e0cee3 100755 --- a/scripts/apt-install +++ b/scripts/apt-install @@ -1,8 +1,14 @@ #!/usr/bin/env bash set -e; +# Get latest apt-transport-https and ca-certificates for safer https apt apt-get update -until apt-get install --download-only -y $(cat /etc/apt/packages.list); do +apt-get install -y apt-transport-https ca-certificates + +mv /etc/apt/sources.list{.new,} +mv /etc/apt/packages.list{.new,} +apt-get update +until apt-get install --download-only --reinstall -y $(cat /etc/apt/packages.list); do echo "apt install failed. Likely throttled. Retrying in 10 mins..."; sleep 600; done; @@ -18,4 +24,4 @@ diff /etc/apt/package-hashes{,-compare}.txt apt-get install -y $(cat /etc/apt/packages.list) -rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; +rm -rf /var/ache/apt/archives/* /var/lib/apt/lists/* /tmp/* /var/tmp/*; diff --git a/scripts/update-packages b/scripts/update-packages index d558527..970fd61 100755 --- a/scripts/update-packages +++ b/scripts/update-packages @@ -5,19 +5,19 @@ set -e cat /etc/apt/packages-old.list | sed 's/=.*//g' \ > /etc/apt/packages.list -snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z") -cat <<-EOF > /etc/apt/sources.list -deb http://deb.debian.org/debian buster main -deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster main -deb http://security.debian.org/debian-security buster/updates main -deb http://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main -deb http://deb.debian.org/debian buster-updates main -deb http://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main -EOF - apt-get update apt-get install -y --download-only $(cat /etc/apt/packages.list) +snapshot_date=$(date -d @${GIT_EPOCH} +"%Y%m%dT000000Z") +cat <<-EOF > /etc/apt/sources.list +deb https://deb.debian.org/debian buster main +deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster main +deb https://security.debian.org/debian-security buster/updates main +deb https://snapshot.debian.org/archive/debian-security/${snapshot_date} buster/updates main +deb https://deb.debian.org/debian buster-updates main +deb https://snapshot.debian.org/archive/debian/${snapshot_date} buster-updates main +EOF + ( cd /var/cache/apt/archives \ && find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \