thoschworks
commented
4 years ago After looking into it, I think
- changing the url for the key is easy
- changing url for the repository is not simple or probably impossible without changing the structure.
Using https for retrieving the key is simple and changes in two line are necessary:
&& DEBIAN_FRONTEND=noninteractive apt-get install -y gnupg ca-certificates \
&& apt-key adv --fetch-keys https://www.webmin.com/jcameron-key.asc \The additional package 'ca-certificates' in line 3 is necessary to verify the certificate.
And this is the point which -in my opinion- breaks the two-stage-approach, if the url of the repository is changed to https:
- In line 19 of
Dockerfile/etc/apt/sourcesfrom stage 1 is copied to stage 2. - In line 22 the package informations are updated via
apt-get update. - This will fail, because there is no certificate information for
https://download.webmin.comin this stage. But without this step it is not possible to addca-certificatesto this stage (which is needed for runningapt-get updatewithout error, which is needed to installca-certificates…).
I think using https only for retrieving the key should be o.k.:
- The key is retrieved over a secured connection
- The packages are retrieved over an unprotected connection, but they are checked with the key.
If you look into the /etc/apt/source.list on your system, the urls for the repositories from Debian or Ubuntu are all "only" http.
If the url for the repository should also be switched to https then the concept have to be switched to one stage and the following changes have to be made:
- remove in line 1 from
AS … - change line 4+5 as shown above
- change the url in line 5
- remove line 8
- remove line 17-19
- some refactoring to make the code nice again
This is more a question, but these lines below appear unsafe to me, are they?
Adding a key and repository without https opens up the possibility of installing packages from a MITM attack.