Embedding version hash and distro in string #117
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,8 @@ | ||
| @{ | ||
| import distro | ||
| import hashlib | ||
| import os | ||
| import requests | ||
|
|
||
| import rosdistro | ||
| index = rosdistro.get_index(rosdistro.get_index_url()) | ||
|
|
@@ -26,12 +29,28 @@ else: | |
| apt_suffix += '-testing' | ||
| source_suffix = 'testing' | ||
| repo_url = f'http://packages.ros.org/ros{apt_suffix}/ubuntu' | ||
|
|
||
| # Get the latest tag | ||
| r = requests.get('https://api.github.com/repos/ros-infrastructure/ros-apt-source/releases/latest') | ||
| tag_name = r.json().get('tag_name') | ||
|
|
||
| # Get the latest version and compute the checksum | ||
| fetch_url = f"https://github.com/ros-infrastructure/ros-apt-source/releases/download/{tag_name}/ros{apt_suffix}-apt-source_{tag_name}.{os_code_name}_all.deb" | ||
|
There was a problem hiding this comment. Does this fundamentally solve the issue raised in docker-library/official-images#19162 (comment) (ie: should the hash not have been generated during the build of the
Member
There was a problem hiding this comment. The package is fetched over a TLS connection and hashed. Even if the hash was precomputed and posted somewhere, we'd still be fetching that over something like https as well, so chain of trust still inherently hinges upon the installed ca-certificates ( and integrity of the CI runtime of course). In truth, this really only helps alleviate the library's build farm from having to interact with GitHub's public API endpoint, which is severely rate limited. Hardcoding the public key or fingerprint would be more foolproof, but the template was being expanding that already before via "trusted" CI runtime anyhow. But I guess it would still be more apparent if the fingerprint changed in the diff review process as apposed to an ever evolving checksum of a moving target file. |
||
| try: | ||
| r = requests.get(fetch_url) | ||
| hashobj = hashlib.sha256(r.content) | ||
| file_256checksum = hashobj.hexdigest() | ||
| except Exception as e: | ||
| file_256checksum = f"ERROR Failed to compute checksum for {fetch_url} do not accept image. Exception: {e}" | ||
|
|
||
| # Temp filename for simplicity of embedding | ||
| temp_filename = f"/tmp/ros{apt_suffix}-apt-source.deb" | ||
| }@ | ||
|
|
||
| # Setup ROS Apt sources | ||
| RUN curl -L -s -o @(temp_filename) @(fetch_url) \ | ||
| && echo "@(file_256checksum) @(temp_filename)" | sha256sum --strict --check \ | ||
| && apt-get update \ | ||
| && apt-get install @(temp_filename) \ | ||
| && rm -f @(temp_filename) \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be in the else block as
apt_suffixvariable doesnt exist in the if branch