Page MenuHomePhabricator

generalize SKS key server in debian8 Dockerfile
AcceptedPublic

Authored by bebuch on Aug 8 2018, 3:27 AM.

Details

Summary

pgp.mit.edu is often down. I recommend changing to pool.sks-keyservers.net, which is the SKS key server pool that pgp.mit.edu is a part of. This will generally be more reliable since any member servers (including pgp.mit.edu) could answer the key request.

Diff Detail

Repository
rL LLVM

Event Timeline

bebuch created this revision.Aug 8 2018, 3:27 AM
RKSimon resigned from this revision.Aug 8 2018, 6:01 AM
RKSimon edited reviewers, added: azharudd, malcolm.parsons, hintonda; removed: RKSimon.

Sorry but I'm really not the person to review this - adding some people that have touched the utils/docker folder that I can find on phab

Adding Ilya who is the original author of that file.

Maybe hard-code the SHA256 checksum directly into the script instead?
Going through the keyservers does not seem to buy us much in terms of security and we certainly don't update the Dockerfiles very often, so it does not take too much time to verify those SHA256 checksums by hand when we do.
Using the gpg was a mistake on my end, it makes things more complicated and less reliable.

I don't have enough experience in this area to evaluate that. I suggest to accept the current patch (which is definitely an easy to understand improvement) and discuss your suggestion in a separate patch. One step at a time. ;-)

ilya-biryukov accepted this revision.Aug 10 2018, 6:59 AM

Sure, LGTM, did not want to block you.

If you're interested in further improvements, the idea is to:

  1. remove all references to gpg from the script.
  2. hard-code the SHA256 in the script and use it to validate the download, i.e.
echo "0e6ec35d4fa9bf79800118916b51928b6471d5725ff36f1d0de5ebb34dcd5406 cmake-3.7.2-Linux-x86_64.tar.gz" | \
      sha256sum -c -
This revision is now accepted and ready to land.Aug 10 2018, 6:59 AM