Add build argument to disable expiry checking of debian packages

e5fc3dd8 · Torsten Grote · 5b7ed6c2 · e5fc3dd8 · e5fc3dd8 · e5fc3dd8
Verified Commit e5fc3dd8 authored 6 years ago by Torsten Grote
--- a/Dockerfile
+++ b/Dockerfile
 FROM debian:stretch

+ARG IGNORE_EXPIRY=0
 ENV LANG=C.UTF-8
 ENV DEBIAN_FRONTEND=noninteractive


--- a/README.md
+++ b/README.md
@@ -51,6 +51,14 @@ Build our Docker image:

    docker build -t briar/go-reproducer go-reproducer

+Building the image might fail due to expired Debian packages.
+You can disable the expiry check by adding a build argument:
+
+    docker build --build-arg IGNORE_EXPIRY=1 -t briar/go-reproducer go-reproducer
+
+However, note that this might expose the build process to MITM attacks
+which inject outdated vulnerable packages.
+
 ### Run the verification

 To verify a specific version of obfs4proxy, run

--- a/install.sh
+++ b/install.sh
@@ -3,12 +3,18 @@ set -e
 set -x

 # use snapshot repos for deterministic package versions
-DATE="20190206T120000Z"
+DATE="20190219T000000Z"
 cat << EOF > /etc/apt/sources.list
 deb http://snapshot.debian.org/archive/debian/${DATE}/ stretch main
 deb http://snapshot.debian.org/archive/debian-security/${DATE}/ stretch/updates main
 EOF

+# ignore expired package releases if env variable is set
+if [[ "${IGNORE_EXPIRY}" = "1" ]]
+then
+    echo 'Acquire::Check-Valid-Until "0";' >> /etc/apt/apt.conf.d/10-ignore-expiry
+fi
+
 # update package sources
 apt-get update
 apt-get -y upgrade