This configuration has been in use in .gitlab-ci.yml scripts for a while
now and has proven reliable. This is a "low hanging fruit" improvement.
It provides an extra layer of protection for when their are apt vulns. And
it makes it much harder to profile what a server/laptop is doing based on
the internet traffic. The network observer will no longer be able to see
which packages are being downloaded since apt uses HTTP pipelining so size
attacks are not really possible. And HTTPS hides the URLs, filenames,
download contents, etc.
Fixes this error:
> Unable to create pipeline
>
> 'pages' job needs 'Build documentation' job, but 'Build documentation'
> does not exist in the pipeline. This might be because of the only,
> except, or rules keywords. To need a job that sometimes does not exist
> in the pipeline, use needs:optional.
dash rarely changes and is reliably run on Debian in the hooks/pre-commit
job. So remove it from the macOS job, where it is flaky and hard to
troubleshoot (who has macOS? ;-)
https://gitlab.com/fdroid/fdroidserver/-/jobs/10454622138
```
==============================================================================
run commit hooks
+ echo_header 'run commit hooks'
+ test -x ./hooks/pre-commit
+ ./hooks/pre-commit
WARNING: pydocstyle is not installed, using dummy placeholder!
WARNING: pyflakes is not installed, using dummy placeholder!
WARNING: pycodestyle is not installed, using dummy placeholder!
./hooks/pre-commit: line 111: 20320 Segmentation fault: 11 $DASH -n $f
ERROR: dash tests failed!
```
For some reason, this logic thinks that this merge request has changed
makebuildserver and/or gradlew-fdroid, though it clearly has not. This
should shed some light on it.
https://gitlab.com/fdroid/fdroidserver/-/jobs/9835383262
Adding workflow: is required, otherwise there would be duplicate
pipelines for all users in the @fdroid group. There would be "branch
pipelines" and "merge request pipelines". Confusingly, only jobs with
rules: get duplicated.
* biplist is only used for Apple iOS IPA files.
* pycountry is only used for linting countryCodes in mirror configs.
Both of these are included via the Debian packaging, where those packages
and updates are more vetted. Homebrew for macOS makes it very difficult to
include optional dependencies, so this includes the optional dependencies
via distutils' method.
We can rely on the debian:testing job to test the bleeding edge, and it is
a lot easier to troubleshoot.
The Fedora job is a lot harder to troubleshoot than the Debian-based jobs,
and they are often quite bleeding edge. Currently, there is a change to
either Python or an image processing lib (Pillow?) that now compresses PNGs
differently than all previous releases. That breaks the tests based on
processing images and checking the SHA-256 matches.
70e7e720b9
fdroidserver!669
This has been in place in a number of other places and has proven stable,
so I'm introducing it here, since the "docker" job actually publishes
docker images that are publicly used. So little painless security fixes
are worthwhile.
