search

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop
GNU General Public License v2.0
49 stars 13 forks source link

Make sure Vagrant boxes are downloaded over HTTPS #37

Closed ecneladis closed 8 years ago

conorsch commented 8 years ago

@ecneladis This change seems superfluous to me, since ubuntu/trusty64 already maps to an HTTPS URL:

vagrant box update
==> grsec-build: Checking for updates to 'ubuntu/trusty64'
    grsec-build: Latest installed version: 20151217.0.0
    grsec-build: Version constraints: 
    grsec-build: Provider: virtualbox
==> grsec-build: Updating 'ubuntu/trusty64' with provider 'virtualbox' from version
==> grsec-build: '20151217.0.0' to '20160107.1.0'...
==> grsec-build: Loading metadata for box 'https://atlas.hashicorp.com/ubuntu/trusty64'
==> grsec-build: Adding box 'ubuntu/trusty64' (v20160107.1.0) for provider: virtualbox
    grsec-build: Downloading: https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20160107.1.0/providers/virtualbox.box

If you've seen different behavior, please let me know.

There's an additional advantage to using the ubuntu/trusty64 boxes: they're updated every week or two, meaning an apt-get upgrade takes significantly less time on newer boxes. Saves a lot of time if you frequently destroy and recreate VMs. The URL you posted is not updated nearly as often.

ecneladis commented 8 years ago

@conorsch Unfortunately not, Vagrant is very misleading here - allows redirect to HTTP and does not show it.

~ ❯ curl -I https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20160107.1.0/providers/virtualbox.box | grep Location
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Location: http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box
conorsch commented 8 years ago

@ecneladis OK, but can show an example of HTTPS -> HTTP using the default ubuntu/trusty64 URL?

curl -I https://atlas.hashicorp.com/ubuntu/trusty64 | grep Location
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   115    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Location: https://atlas.hashicorp.com/ubuntu/boxes/trusty64
ecneladis commented 8 years ago

@conorsch It's a longer chain of redirects:

curl -I https://atlas.hashicorp.com/ubuntu/trusty64 | grep Location
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   115    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Location: https://atlas.hashicorp.com/ubuntu/boxes/trusty64
~ ❯ curl -L https://atlas.hashicorp.com/ubuntu/boxes/trusty64 | head -c1000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20484    0 20484    0     0  15657   {"description":"This is the official Ubuntu Server 64-bit 14.04 cloud image. This box always points to the `current` version. \r\n\r\nIf you need a specific snapshot check out the [Vagrant section](http://cloud-images.ubuntu.com/vagrant/) of Ubuntu.com.","short_description":"Official Ubuntu Server 14.04 LTS (Trusty Tahr) builds","name":"ubuntu/trusty64","versions":[{"version":"20160107.1.0","status":"active","description_html":null,"description_markdown":null,"providers":[{"name":"virtualbox","url":"https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20160107.1.0/providers/virtualbox.box"}]},{"version":"20151218.0.1","status":"active","description_html":null,"description_markdown":null,"providers":[{"name":"virtualbox","url":"https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20151218.0.1/providers/virtualbox.box"}]},{"version":"20151218.0.0","status":"active","description_html":null,"description_markdown":null,"providers":[{"name":"virtualbox","url":"https://vagrantcloud.com/

Then Vagrant is getting latest box from the json.

~ ❯ curl -I https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20160107.1.0/providers/virtualbox.box | grep Location
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Location: http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.b

Boom, finally http.

Sent you an email with some details.

conorsch commented 8 years ago

Requires rebase, but should be merged.

conorsch commented 8 years ago

Rebased and resubmitted as #54. @ecneladis, thank you very much for reporting this, and for in-depth discussion of it outside this thread.