mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-09-13 14:32:28 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

buildserver: always use HTTPS for apt connections in Docker image

Browse source 
This configuration has been in use in .gitlab-ci.yml scripts for a while
now and has proven reliable.  This is a "low hanging fruit" improvement.
It provides an extra layer of protection for when their are apt vulns.  And
it makes it much harder to profile what a server/laptop is doing based on
the internet traffic.  The network observer will no longer be able to see
which packages are being downloaded since apt uses HTTP pipelining so size
attacks are not really possible. And HTTPS hides the URLs, filenames,
download contents, etc.
This commit is contained in:
Hans-Christoph Steiner 2025-02-13 14:58:16 +01:00
parent 05c4bf2483
commit 7988c54d00
2 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
buildserver/Dockerfile
View file

@ -37,11 +37,22 @@ RUN useradd --create-home -s /bin/bash vagrant && echo -n 'vagrant:vagrant' | ch
#
# Ensure fdroidserver's dependencies are marked manual before purging
# unneeded packages, otherwise, all its dependencies get purged.
#
# The official Debian docker images ship without ca-certificates, so
# TLS certificates cannot be verified until that is installed. The
# following code temporarily turns off TLS verification, and enables
# HTTPS, so at least unverified TLS is used for apt-get instead of
# plain HTTP. Once ca-certificates is installed, the CA verification
# is enabled by removing the newly created config file. This set up
# makes the initial `apt-get update` and `apt-get install` look the
# same as verified TLS to the network observer and hides the metadata.
RUN printf "path-exclude=/usr/share/locale/*\npath-exclude=/usr/share/man/*\npath-exclude=/usr/share/doc/*\npath-include=/usr/share/doc/*/copyright\n" >/etc/dpkg/dpkg.cfg.d/01_nodoc \
&& mkdir -p /usr/share/man/man1 \
&& echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates \
&& find /etc/apt/sources.list* -type f -exec sed -i s,http:,https:, {} \; \
&& apt-get update \
&& apt-get install ca-certificates \
&& sed -i 's,http:,https:,' /etc/apt/sources.list.d/debian.sources \
&& rm /etc/apt/apt.conf.d/99nocacertificates \
&& apt-get upgrade \
&& apt-get dist-upgrade \
&& apt-get install openssh-client iproute2 python3 openssh-server sudo \