diff --git a/Dockerfile b/Dockerfile index 833334334b0b20cdab4351bacf1f2e840f705dc7..2b937f924d8c78c41199454492fdcc184aa7877b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ FROM debian:bullseye -ARG IGNORE_EXPIRY=0 ENV LANG=C.UTF-8 ENV DEBIAN_FRONTEND=noninteractive diff --git a/README.md b/README.md index f9a2a6f4b878d30a7476580e8189d7a1735c0fce..e84476b61bdfc35d7086253163ac331dbe1c2903 100644 --- a/README.md +++ b/README.md @@ -55,13 +55,10 @@ Build our Docker image: docker build -t briar/go-reproducer go-reproducer -Building the image might fail due to expired Debian packages. -You can disable the expiry check by adding a build argument: - - docker build --build-arg IGNORE_EXPIRY=1 -t briar/go-reproducer go-reproducer - -However, note that this might expose the build process to MITM attacks -which inject outdated vulnerable packages. +To ensure reproducibility we build the image from a fixed snapshot of Debian +and ignore expiry warnings for Debian packages. This means the build process +inside the Docker container may use outdated packages that could contain +known vulnerabilities. ### Run the verification