search

travis-ci / apt-package-safelist

Safelist of apt packages approved for build environments with restricted sudo
MIT License
109 stars 86 forks source link

libgit2-24 is included in whitelist but not available in repositories #4285

Open aspiers opened 6 years ago

aspiers commented 6 years ago

3420 requested libgit2-24, and the consequent Travis CI run shows that at one point libgit2-24 was available from the Debian unstable repo:

Fetching source package for libgit2-24
libgit2-24:
  Installed: (none)
  Candidate: 0.24.1-2
  Version table:
     0.24.1-2 0
        500 http://ftp.us.debian.org/debian/ unstable/main amd64 Packages
W: Ignoring Provides line with DepCompareOp for package libapt-inst
W: Ignoring Provides line with DepCompareOp for package libapt-pkg
W: Ignoring Provides line with DepCompareOp for package libparse-cpan-meta-perl
W: Ignoring Provides line with DepCompareOp for package libjpeg62
W: Ignoring Provides line with DepCompareOp for package php-psr-http-message-implementation
W: Ignoring Provides line with DepCompareOp for package php-psr-log-implementation
W: Ignoring Provides line with DepCompareOp for package php-seclib
W: Ignoring Provides line with DepCompareOp for package php-sabre-http
W: Ignoring Provides line with DepCompareOp for package php-math-biginteger
W: Ignoring Provides line with DepCompareOp for package pypy-cffi
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package libapt-inst
W: Ignoring Provides line with DepCompareOp for package libapt-pkg
W: Ignoring Provides line with DepCompareOp for package libjpeg62
W: Ignoring Provides line with DepCompareOp for package pypy-cffi
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: You may want to run apt-get update to correct these problems
Reading package lists...
Building dependency tree...
Reading state information...
Picking 'libgit2' as source package instead of 'libgit2-24'
NOTICE: 'libgit2' packaging is maintained in the 'Git' version control system at:
https://anonscm.debian.org/cgit/collab-maint/libgit2.git/
Need to get 4,188 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (dsc) [2,006 B]
Get:2 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (tar) [4,173 kB]
Get:3 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (diff) [12.9 kB]
gpgv: Signature made Wed 13 Apr 2016 09:35:50 AM UTC using RSA key ID 4D135306
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./libgit2_0.24.1-2.dsc
dpkg-source: info: extracting libgit2 in libgit2-0.24.1
dpkg-source: info: unpacking libgit2_0.24.1.orig.tar.gz
dpkg-source: info: unpacking libgit2_0.24.1-2.debian.tar.xz
dpkg-source: info: applying disable_tests.patch

However it's no longer available, so presumably should be removed from the whitelist to avoid misleading people into thinking it's available.

aspiers commented 6 years ago

@ethomson Can you suggest how to deal with this? Is switching from containers to Travis CI's sudo-enabled VMs the only solution?

ethomson commented 6 years ago

Not sure how you want to solve this, but no, I don't think that you'll need sudo-enabled VMs. We build in the container based workflows by hosting our own .deb: https://github.com/libgit2/libgit2/blob/master/.travis.yml#L29 - we use bintray to host it but that's not a requirement.

I'm afraid that you may have to build your own .deb which is disappointing, but you may be able to use an existing one or backport it, then 👍

aspiers commented 6 years ago

I don't understand - how is it allowed to point at your own repositories which contain your own .deb packages? Surely this circumvents the whole security process behind the whitelist if you can install any old package into a container without audit?

ethomson commented 6 years ago

🤷‍♂️ I’m the wrong person to ask about why it works.

aspiers commented 6 years ago

It looks to me very much like your CI isn't actually using containers, and is using sudo:

https://travis-ci.org/libgit2/libgit2/jobs/380646286#L436

My guess is that adding an apt source which isn't on the whitelist automatically disables the use of containers.