From 64ea4caac1a5863ed85b51f669121d6a2b08b0f6 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 16 Mar 2017 11:43:46 +0100 Subject: [PATCH 1/2] buildserver: allow gradle/sdkmanager to install into the new m2repository Google is pushing gradle towards downloading all the SDK components that it needs, rather than having a preconfigured SDK installed. The buildserver strongly supports the old model, with added checksum checking even. We can still support the old model by pre-configuring the SDK and locking it down as root. This can then also support the new model by setting the file perms so that new packages can be auto-installed, but they cannot overwrite any packages that come pre-installed and pre-verified. fdroiddata!2096 closes #247 --- buildserver/provision-android-sdk | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/buildserver/provision-android-sdk b/buildserver/provision-android-sdk index 56f72e06..e5a4202a 100644 --- a/buildserver/provision-android-sdk +++ b/buildserver/provision-android-sdk @@ -34,6 +34,8 @@ disabled=" @disabled@https\://dl.google.com/android/repository/sys-img/google_apis/sys-img.xml=disabled " test -d ${HOME}/.android || mkdir ${HOME}/.android +# there are currently zero user repos +echo 'count=0' > ${HOME}/.android/repositories.cfg for line in $disabled; do echo $line >> ${HOME}/.android/sites-settings.cfg done @@ -85,3 +87,8 @@ find $ANDROID_HOME/ -type f -executable -print0 | xargs -0 chmod a+x # allow gradle to install newer build-tools versions chgrp vagrant $ANDROID_HOME/build-tools chmod g+w $ANDROID_HOME/build-tools + +# allow gradle/sdkmanager to install into the new m2repository +test -d $ANDROID_HOME/extras/m2repository || mkdir -p $ANDROID_HOME/extras/m2repository +find $ANDROID_HOME/extras/m2repository -type d | xargs chgrp vagrant +find $ANDROID_HOME/extras/m2repository -type d | xargs chmod g+w From 580a9eb058e48751c5bbb3672e454d9340ae9657 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 16 Mar 2017 14:48:08 +0100 Subject: [PATCH 2/2] buildserver: support HTTPS Debian mirrors The ever troublesome gpjenkins box needs to use HTTPS mirrors. Plus it improves the security of the buildserver, since there have been CVEs that HTTPS would protect against: https://www.debian.org/security/2016/dsa-3733 --- buildserver/provision-apt-get-install | 9 +++++++-- jenkins-build-makebuildserver | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/buildserver/provision-apt-get-install b/buildserver/provision-apt-get-install index 8edefb50..996454e8 100644 --- a/buildserver/provision-apt-get-install +++ b/buildserver/provision-apt-get-install @@ -6,14 +6,19 @@ set -x debian_mirror=$1 -sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list - printf 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";\n' \ > /etc/apt/apt.conf.d/99no-install-recommends printf 'APT::Acquire::Retries "20";\n' \ > /etc/apt/apt.conf.d/99acquire-retries +if echo $debian_mirror | grep '^https' 2>&1 > /dev/null; then + apt-get -y update + apt-get -y install apt-transport-https +fi + +sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list + if grep --quiet jessie /etc/apt/sources.list; then echo "deb $debian_mirror jessie-backports main" > /etc/apt/sources.list.d/backports.list echo "deb $debian_mirror testing main" > /etc/apt/sources.list.d/testing.list diff --git a/jenkins-build-makebuildserver b/jenkins-build-makebuildserver index 430b27a3..6d459fa5 100755 --- a/jenkins-build-makebuildserver +++ b/jenkins-build-makebuildserver @@ -46,7 +46,7 @@ export VAGRANT_HOME=$WORKSPACE/vagrant.d mkdir $VAGRANT_HOME cd $WORKSPACE -echo "debian_mirror = 'http://ftp.uk.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py +echo "debian_mirror = 'https://deb.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py echo "boot_timeout = 1200" >> $WORKSPACE/makebuildserver.config.py echo "apt_package_cache = True" >> $WORKSPACE/makebuildserver.config.py ./makebuildserver --verbose --clean