Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade ca-certificates when creating container #70

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

amartinz
Copy link
Member

@amartinz amartinz commented Jun 21, 2022

Xenial's ca-certificates is outdated and needs to be updated or
websites using Let's encrypt will not be reachable.

This will break building certain packages which fetch from such
websites, like bluez:


Installing arm64 (host amd64) build dependencies for bluez in container bluez-usdk-16-04-amd64-arm64-dev.
Downloading upstream source tarball of bluez in container to bluez_5.42+ubports5.orig.tar.xz.
--2022-06-21 16:17:11--  http://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Resolving www.kernel.org (www.kernel.org)... 145.40.68.75, 2604:1380:4601:e00::1
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz [following]
--2022-06-21 16:17:12--  https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:443... connected.
ERROR: cannot verify www.kernel.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to www.kernel.org insecurely, use `--no-check-certificate'.

Explicitly add ca-certificate to the list of packages to install to force it to be upgraded to the latest version.

@peat-psuwit
Copy link
Contributor

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

@amartinz
Copy link
Member Author

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

Add -> Upgrade

would that be ok?

@mardy
Copy link
Member

mardy commented Jun 25, 2022

Add -> Upgrade

would that be ok?

Maybe the long description of the commit message could be: "Explicitly add the ca-certificate packages to force it to be upgraded to the latest version".

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

Xenial's ca-certificates is outdated and needs to be updated or
websites using Let's encrypt will not be reachable.

This will break building certain packages which fetch from such
websites, like bluez:

-----

Installing arm64 (host amd64) build dependencies for bluez in container bluez-usdk-16-04-amd64-arm64-dev.
Downloading upstream source tarball of bluez in container to bluez_5.42+ubports5.orig.tar.xz.
--2022-06-21 16:17:11--  http://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Resolving www.kernel.org (www.kernel.org)... 145.40.68.75, 2604:1380:4601:e00::1
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz [following]
--2022-06-21 16:17:12--  https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:443... connected.
ERROR: cannot verify www.kernel.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to www.kernel.org insecurely, use `--no-check-certificate'.

-----

Explicitly add ca-certificate to the list of packages to install
to force it to be upgraded to the latest version.

Signed-off-by: Alexander Martinz <alexander@ubports.com>
@amartinz amartinz changed the title Add ca-certificates to packages when creating container Upgrade ca-certificates when creating container Jun 29, 2022
@amartinz
Copy link
Member Author

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

This failed spectaculary on my end, tried this before sending this PR.

Another option would be to update the sdk images we provide.
They were last updated in August 2021.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants