Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgit2-24 is included in whitelist but not available in repositories #4285

Open
aspiers opened this issue May 15, 2018 · 5 comments
Open

libgit2-24 is included in whitelist but not available in repositories #4285

aspiers opened this issue May 15, 2018 · 5 comments

Comments

@aspiers
Copy link

aspiers commented May 15, 2018

#3420 requested libgit2-24, and the consequent Travis CI run shows that at one point libgit2-24 was available from the Debian unstable repo:

Fetching source package for libgit2-24
libgit2-24:
  Installed: (none)
  Candidate: 0.24.1-2
  Version table:
     0.24.1-2 0
        500 http://ftp.us.debian.org/debian/ unstable/main amd64 Packages
W: Ignoring Provides line with DepCompareOp for package libapt-inst
W: Ignoring Provides line with DepCompareOp for package libapt-pkg
W: Ignoring Provides line with DepCompareOp for package libparse-cpan-meta-perl
W: Ignoring Provides line with DepCompareOp for package libjpeg62
W: Ignoring Provides line with DepCompareOp for package php-psr-http-message-implementation
W: Ignoring Provides line with DepCompareOp for package php-psr-log-implementation
W: Ignoring Provides line with DepCompareOp for package php-seclib
W: Ignoring Provides line with DepCompareOp for package php-sabre-http
W: Ignoring Provides line with DepCompareOp for package php-math-biginteger
W: Ignoring Provides line with DepCompareOp for package pypy-cffi
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package libapt-inst
W: Ignoring Provides line with DepCompareOp for package libapt-pkg
W: Ignoring Provides line with DepCompareOp for package libjpeg62
W: Ignoring Provides line with DepCompareOp for package pypy-cffi
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package pypy-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python3-cffi-backend-api-min
W: You may want to run apt-get update to correct these problems
Reading package lists...
Building dependency tree...
Reading state information...
Picking 'libgit2' as source package instead of 'libgit2-24'
NOTICE: 'libgit2' packaging is maintained in the 'Git' version control system at:
https://anonscm.debian.org/cgit/collab-maint/libgit2.git/
Need to get 4,188 kB of source archives.
Get:1 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (dsc) [2,006 B]
Get:2 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (tar) [4,173 kB]
Get:3 http://ftp.us.debian.org/debian/ unstable/main libgit2 0.24.1-2 (diff) [12.9 kB]
gpgv: Signature made Wed 13 Apr 2016 09:35:50 AM UTC using RSA key ID 4D135306
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./libgit2_0.24.1-2.dsc
dpkg-source: info: extracting libgit2 in libgit2-0.24.1
dpkg-source: info: unpacking libgit2_0.24.1.orig.tar.gz
dpkg-source: info: unpacking libgit2_0.24.1-2.debian.tar.xz
dpkg-source: info: applying disable_tests.patch

However it's no longer available, so presumably should be removed from the whitelist to avoid misleading people into thinking it's available.
@aspiers aspiers mentioned this issue May 18, 2018
Closed
@aspiers
Copy link
Author

aspiers commented May 18, 2018

@ethomson Can you suggest how to deal with this? Is switching from containers to Travis CI's sudo-enabled VMs the only solution?

@ethomson
Copy link

Not sure how you want to solve this, but no, I don't think that you'll need sudo-enabled VMs. We build in the container based workflows by hosting our own .deb: https://github.com/libgit2/libgit2/blob/master/.travis.yml#L29 - we use bintray to host it but that's not a requirement.

I'm afraid that you may have to build your own .deb which is disappointing, but you may be able to use an existing one or backport it, then 👍

@aspiers
Copy link
Author

aspiers commented May 18, 2018

I don't understand - how is it allowed to point at your own repositories which contain your own .deb packages? Surely this circumvents the whole security process behind the whitelist if you can install any old package into a container without audit?

@ethomson
Copy link

🤷‍♂️ I’m the wrong person to ask about why it works.

@aspiers
Copy link
Author

aspiers commented May 20, 2018

It looks to me very much like your CI isn't actually using containers, and is using sudo:

https://travis-ci.org/libgit2/libgit2/jobs/380646286#L436

My guess is that adding an apt source which isn't on the whitelist automatically disables the use of containers.

@aspiers aspiers mentioned this issue Nov 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aspiers @ethomson