search

ubports / crossbuilder

A debian package cross building tool using LXD
13 stars 17 forks source link

Upgrade ca-certificates when creating container #70

Open amartinz opened 2 years ago

amartinz commented 2 years ago

Xenial's ca-certificates is outdated and needs to be updated or websites using Let's encrypt will not be reachable.

This will break building certain packages which fetch from such websites, like bluez:

Installing arm64 (host amd64) build dependencies for bluez in container bluez-usdk-16-04-amd64-arm64-dev.
Downloading upstream source tarball of bluez in container to bluez_5.42+ubports5.orig.tar.xz.
--2022-06-21 16:17:11--  http://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Resolving www.kernel.org (www.kernel.org)... 145.40.68.75, 2604:1380:4601:e00::1
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz [following]
--2022-06-21 16:17:12--  https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:443... connected.
ERROR: cannot verify www.kernel.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to www.kernel.org insecurely, use `--no-check-certificate'.

Explicitly add ca-certificate to the list of packages to install to force it to be upgraded to the latest version.

peat-psuwit commented 2 years ago

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

amartinz commented 2 years ago

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

Add -> Upgrade

would that be ok?

mardy commented 2 years ago

Add -> Upgrade

would that be ok?

Maybe the long description of the commit message could be: "Explicitly add the ca-certificate packages to force it to be upgraded to the latest version".

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

amartinz commented 2 years ago

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

This failed spectaculary on my end, tried this before sending this PR.

Another option would be to update the sdk images we provide. They were last updated in August 2021.