Rather than needing to run a command before and after the build, in order
to first install the debug.keystore, then after to fetch and publish the
APK, this makes `fdroid nightly` just resign the APK with the provided
debug.keystore. Then `fdroid nightly` can be run as the final step in a CI
build, and still ensure that the APKs are always signed by the provided
debug.keystore.
If we allow SSH, then we'd have to manage known_hosts.
All VCS and submodule URLs should use HTTPS. SSH URLs have security vulns:
https://blogs.msdn.microsoft.com/devops/2017/08/15/git-vulnerability-with-submodules/https://www.theregister.co.uk/2017/08/13/ssh_flaw_in_git_mercurial_svn/
CVE-2017-1000117
I did a manual scan of the setup on jenkins.debian.net to see if I could
find any suspicious URLs. Looks good so far. This is what I used:
find . -type f -print0 |xargs -0 grep -Eo 'ssh[:+][svn/]+...................'
find . -type f -print0 |xargs -0 grep -Eo 'ssh://-[^ "]+'
Also, some ssh://_ URLs in submodules might still work, because of the URL
rewriting in fdbfb4d1. But https://-oProxyCommand=pwnme does not really do
anything, unlike ssh://-oProxyCommand=pwnme
Later revisions might have removed the submodules so we want to keep
going when there are no submodules present.
We still abort when there is an error initializing submodules.
Fixesfdroid/fdroidserver#231
Something is preventing `fdroid build --all` from exiting after a long
run. @bubu, @uniqx and I think it is because of the use of
AsynchronousFileReader, somehow it's thread does not exit. So the
workaround for now is to just try a hard exit instead of waiting for
things to finish cleanly with `sys.exit(0)`.
https://jenkins.debian.net/job/reproducible_fdroid_build_apps/94/console
When running `fdroid build --all` on a buildserver with thousands of apps,
it was frequently hitting the open file limit. This increases the open
file limit based on how many apps are being process. It is doubled to
provide a margin of safety.
There are probably open file leaks which ideally would be fixed, but this
is also useful to make things more resilient to all the random stuff apps
include in their build systems.
This creates a mirror of a full repo by downloading all files listed in
the index, and the ones that are generated based on that data, e.g. icons
of different resolutions. This could be useful for setting up mirrors of
small repositories, instead of having to learn and manage rsync or
something else for mirroring. This just needs a working repo.
It uses wget in a batch mode with the aim as being as efficient as
possible. wget mirroring over HTTP is always going to be less efficient
than rsync, but it shouldn't be so bad since it uses --continue to check
whether it has already downloaded a file. I suppose it could be extended
to use ETags for a little more efficiency.
I developed this creating a test mirror of f-droid.org, which is now a bit
ironic, since I added a specific check to prevent people from using this
on f-droid.org.
Sending many small files with paramiko's sftp implementation is quite
slow. There seems to be no way around this, other projects (ansible)
recommend to use rsync in this case.
Our sourcecode directories sometimes have a LOT of files, it can take
up to an hour to copy all required things inside the buildserver.
Instead we just use rsync with the ssh options we get from vagrant.
For rsync specific options we use:
* sync permissions as before
* sync symlinks (was done partially before)
* don't sync hardlinks and ownership as these don't make for things
coming from a VCS
Closesfdroid/fdroidserver#227.
This was introduced in cd23bb933c
apparently to work around problems in vagrant 1.3.5.
This seems not to be necessary any more, I have never had a problem with
those sleeps removed.
We never allow git via SSH or password/key access, and right now, this
causes things to hang forever. This sets things up to fail quickly
with invalid ssh connections.
BatchMode=yes - passphrase/password querying will be disabled.
StrictHostKeyChecking=yes - never automatically prompt, or add host keys to
the ~/.ssh/known_hosts file, and refuse to connect to hosts whose host key
has changed.
If a git fetch/clone/submodule URL points to gitlab, github, bitbucket, etc
and that repo does not exist any more, those services will prompt the user
for a username/password so that the service can check if its a private
repo. Private repos show up the same as non-existent repos. This employs
two techniques for making sure that git never waits at those prompts. It
instead should just fail immediately. The buildserver has been hanging on
these prompts forever, until manually killed. This change will apply to
updates both on the buildserver host, and the buildserver guest vm.
This uses the "insteadOf" git config option to rewrite URLs to always use
HTTPS and then include a fake username/password so that git will use those
in the prompts and fail immediately. This trick has been in use on the
verification server for a long while and has been working well. It has
also been used on jenkins.debian.net in the host.
https://f-droid.org/en/docs/Verification_Server/
It also includes GIT_TERMINAL_PROMPT, which also prevents the bad behavior,
which was added in git 2.3.
https://github.com/blog/1957-git-2-3-has-been-released
Debug logging is not saved in buildserver logs. Also move this line into
build.py's main() to avoid duplication: common.setup_vcs(app) may be
called from parse_metadata() too.
