Skip to content

Upgrade ca-certificates when creating container #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amartinz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade ca-certificates when creating container #70

amartinz wants to merge 1 commit into from

Conversation

@amartinz
Copy link
Member

@amartinz amartinz commented Jun 21, 2022
edited
Loading

Xenial's ca-certificates is outdated and needs to be updated or
websites using Let's encrypt will not be reachable.

This will break building certain packages which fetch from such
websites, like bluez:

Installing arm64 (host amd64) build dependencies for bluez in container bluez-usdk-16-04-amd64-arm64-dev.
Downloading upstream source tarball of bluez in container to bluez_5.42+ubports5.orig.tar.xz.
--2022-06-21 16:17:11--  http://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Resolving www.kernel.org (www.kernel.org)... 145.40.68.75, 2604:1380:4601:e00::1
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz [following]
--2022-06-21 16:17:12--  https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:443... connected.
ERROR: cannot verify www.kernel.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to www.kernel.org insecurely, use `--no-check-certificate'.

Explicitly add ca-certificate to the list of packages to install to force it to be upgraded to the latest version.

@amartinz amartinz requested review from mardy and peat-psuwit June 21, 2022 16:30
@peat-psuwit
Copy link
Contributor

peat-psuwit commented Jun 24, 2022

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

@amartinz
Copy link
Member Author

amartinz commented Jun 25, 2022

Hmm... the commit message gives an impression that ca-certificates wasn't already installed. Could you please re-word that a little bit?

Add -> Upgrade

would that be ok?

@mardy
Copy link
Member

mardy commented Jun 25, 2022

Add -> Upgrade

would that be ok?

Maybe the long description of the commit message could be: "Explicitly add the ca-certificate packages to force it to be upgraded to the latest version".

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

@amartinz
Upgrade ca-certificates when creating container
3c7a51f 
Xenial's ca-certificates is outdated and needs to be updated or
websites using Let's encrypt will not be reachable.

This will break building certain packages which fetch from such
websites, like bluez:

-----

Installing arm64 (host amd64) build dependencies for bluez in container bluez-usdk-16-04-amd64-arm64-dev.
Downloading upstream source tarball of bluez in container to bluez_5.42+ubports5.orig.tar.xz.
--2022-06-21 16:17:11--  http://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Resolving www.kernel.org (www.kernel.org)... 145.40.68.75, 2604:1380:4601:e00::1
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz [following]
--2022-06-21 16:17:12--  https://www.kernel.org/pub/linux/bluetooth/bluez-5.41.tar.xz
Connecting to www.kernel.org (www.kernel.org)|145.40.68.75|:443... connected.
ERROR: cannot verify www.kernel.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to www.kernel.org insecurely, use `--no-check-certificate'.

-----

Explicitly add ca-certificate to the list of packages to install
to force it to be upgraded to the latest version.

Signed-off-by: Alexander Martinz <alexander@ubports.com>
@amartinz amartinz changed the title Add ca-certificates to packages when creating container Upgrade ca-certificates when creating container Jun 29, 2022
@amartinz
Copy link
Member Author

amartinz commented Jun 29, 2022

I wonder, though, if it wouldn't be better to run a full apt upgrade instead. I wonder if something would break, though...

This failed spectaculary on my end, tried this before sending this PR.

Another option would be to update the sdk images we provide.
They were last updated in August 2021.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mardy mardy Awaiting requested review from mardy

@peat-psuwit peat-psuwit Awaiting requested review from peat-psuwit

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amartinz @peat-psuwit @mardy