Closed jstuder-gh closed 6 years ago
jstuder-gh
commented
6 years ago jstuder-gh
commented
6 years ago @tianon, I noticed that the Travis build is failing with gpg2: not found, which surprises me as it builds just fine for me on my local machine (it should be using the same base image, right?)
Would it be best to use plain 'gpg' here? Given the base image, I believe gpg is an alias for gpg2, but if not and GPG v1.* were used would that greatly affect security in this instance? Thanks.
zakame
commented
6 years ago @jstuder-gh gpg on buildpack-deps should already be gpg2:
θ69° [zakame:~] % docker run --rm -it buildpack-deps:stretch /bin/sh
# which gpg2
# dpkg -s gnupg | grep Version
Version: 2.1.18-8~deb9u1
# which gpg
/usr/bin/gpg
# gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2So better use gpg in the Dockerfile RUNs.
jstuder-gh
commented
6 years ago Thanks @zakame for confirming on your end. I've updated the branch accordingly.
hoelzro
commented
6 years ago If all looks good to @tianon, I can merge this!
tianon
commented
6 years ago Looks great to me! 👌
The gpg2 discrepancy was likely just an outdated base image; doing docker build --pull ... would probably help/fix that. 👍
hoelzro
commented
6 years ago Ok, thanks @jstuder-gh for the contribution, and thanks to @tianon and @zakame for reviewing!