search

artificialwisdomai / origin

Artificial Wisdom™ Cloud Platform
Apache License 2.0
3 stars 4 forks source link

Intel oneApi apt repository key is expired. #107

Closed sdake closed 1 year ago

sdake commented 1 year ago

In an attempt to build our implementation of faiss, I discovered the following:

/etc/apt/trusted.gpg.d/intel-sw-products.asc
--------------------------------------------
pub   rsa2048 2016-09-28 [SC] [expired: 2019-09-27]
      BF43 85F9 1CA5 FC00 5AB3  9E1C 1A84 97B1 1911 E097
uid           [ expired] "CN = Intel(R) Software Development Products", O=Intel Corporation

pub   rsa2048 2019-09-30 [SC] [expired: 2023-09-30]
      52AB D6E8 7E42 1793 9718  73FF ACFA 9FC5 7E6C 5DBE
uid           [ expired] Intel(R) Software Development Products

pub   rsa2048 2019-07-26 [SC] [expired: 2023-07-26]
      E1BA 4ECE FB06 56C6 1BF9  7949 36B9 569B 3F1A 1BC7
uid           [ expired] KEY-PIDT-PGP-20190726

pub   rsa2048 2020-05-18 [SC] [expires: 2024-05-18]
      6113 D313 62A0 D280 FC02  5AAB 6407 3642 7872 A220
uid           [ unknown] CN=Intel(R) Software Development Products (PREPROD USE ONLY)

We build with Intel MKL by using the apt repository installation mechanism. Unfortunately, today is 2023-10-1, and 52AB D6E8 7E42 1793 9718 73FF ACFA 9FC5 7E6C 5DBE is in an expired state.

sdake commented 1 year ago

I have confirmed this development quality approach is feasible and delivers a built faiss.

wise@wise-a40x1-1:~/repos/origin$ git diff
diff --git a/platform/packaging/build/faiss/Dockerfile b/platform/packaging/build/faiss/Dockerfile
index 51fc08e..24bae4b 100644
--- a/platform/packaging/build/faiss/Dockerfile
+++ b/platform/packaging/build/faiss/Dockerfile
@@ -61,7 +61,7 @@ RUN dpkg -i /workspace/cuda-keyring_1.1-1_all.deb
 # NB. we don't need the all of Intel's oneApi, we only need MKL.

 RUN curl -sL https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB | gpg --dearmor > /usr/share/keyrings/oneapi-archive-keyring.gpg
-RUN echo "deb [signed-by=/usr/share/keyrings/oneapi-archive-keyring.gpg] https://apt.repos.intel.com/oneapi all main" > /etc/apt/sources.list.d/oneAPI.list
+RUN echo "deb [trusted=yes] https://apt.repos.intel.com/oneapi all main" > /etc/apt/sources.list.d/oneAPI.list

 RUN apt update
 RUN apt install -y cuda-toolkit-12-2

I noticed during this work we use http as a transport for apt when we should be using https.

More problematic is this workaround does no deb package signature check. These problems would result in security vulnerability disclosures, so these changes may not enter our git repository.

Thank you, -steve , we use HTTP as a transport

sdake commented 1 year ago

This appears to have been resolved upstream by key change. Closing.