This is an archive of the discontinued LLVM Phabricator instance.

Differential D50431

generalize SKS key server in debian8 Dockerfile
AcceptedPublic

Authored by bebuch on Aug 8 2018, 3:27 AM.

Details

Reviewers
azharudd
malcolm.parsons
hintonda
ilya-biryukov
Summary

pgp.mit.edu is often down. I recommend changing to pool.sks-keyservers.net, which is the SKS key server pool that pgp.mit.edu is a part of. This will generally be more reliable since any member servers (including pgp.mit.edu) could answer the key request.

Diff Detail

Repository
rL LLVM

Event Timeline

bebuch created this revision.Aug 8 2018, 3:27 AM
Herald added a subscriber: llvm-commits. ยท View Herald TranscriptAug 8 2018, 3:27 AM
RKSimon resigned from this revision.Aug 8 2018, 6:01 AM
RKSimon edited reviewers, added: azharudd, malcolm.parsons, hintonda; removed: RKSimon.

Sorry but I'm really not the person to review this - adding some people that have touched the utils/docker folder that I can find on phab

azharudd added a reviewer: ilya-biryukov.Aug 8 2018, 4:06 PM

Adding Ilya who is the original author of that file.

ilya-biryukov added a comment.Aug 9 2018, 1:26 AM

Maybe hard-code the SHA256 checksum directly into the script instead?
Going through the keyservers does not seem to buy us much in terms of security and we certainly don't update the Dockerfiles very often, so it does not take too much time to verify those SHA256 checksums by hand when we do.
Using the gpg was a mistake on my end, it makes things more complicated and less reliable.

bebuch added a comment.Aug 10 2018, 5:36 AM

I don't have enough experience in this area to evaluate that. I suggest to accept the current patch (which is definitely an easy to understand improvement) and discuss your suggestion in a separate patch. One step at a time. ;-)

ilya-biryukov accepted this revision.Aug 10 2018, 6:59 AM

Sure, LGTM, did not want to block you.

If you're interested in further improvements, the idea is to:

  1. remove all references to gpg from the script.
  2. hard-code the SHA256 in the script and use it to validate the download, i.e.
echo "0e6ec35d4fa9bf79800118916b51928b6471d5725ff36f1d0de5ebb34dcd5406 cmake-3.7.2-Linux-x86_64.tar.gz" | \
      sha256sum -c -
This revision is now accepted and ready to land.Aug 10 2018, 6:59 AM

Revision Contents

PathSize
utils/
docker/
debian8/
2 lines

Diff 159671

utils/docker/debian8/Dockerfile

Show All 20 Lines
# Install a newer ninja release. It seems the older version in the debian repos # Install a newer ninja release. It seems the older version in the debian repos
# randomly crashes when compiling llvm. # randomly crashes when compiling llvm.
RUN wget "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-linux.zip" && \ RUN wget "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-linux.zip" && \
echo "d2fea9ff33b3ef353161ed906f260d565ca55b8ca0568fa07b1d2cab90a84a07 ninja-linux.zip" \ echo "d2fea9ff33b3ef353161ed906f260d565ca55b8ca0568fa07b1d2cab90a84a07 ninja-linux.zip" \
| sha256sum -c && \ | sha256sum -c && \
unzip ninja-linux.zip -d /usr/local/bin && \ unzip ninja-linux.zip -d /usr/local/bin && \
rm ninja-linux.zip rm ninja-linux.zip
# Import public key required for verifying signature of cmake download. # Import public key required for verifying signature of cmake download.
RUN gpg --keyserver hkp://pgp.mit.edu --recv 0x2D2CEF1034921684 RUN gpg --keyserver hkp://pool.sks-keyservers.net --recv 0x2D2CEF1034921684
# Download, verify and install cmake version that can compile clang into /usr/local. # Download, verify and install cmake version that can compile clang into /usr/local.
# (Version in debian8 repos is is too old) # (Version in debian8 repos is is too old)
RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \ RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \
wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \ wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \
wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \ wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \
gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \ gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \
wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \ wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \
( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \ ( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \
Show All 24 Lines