[llvm] r311152 - Addressed some security issues in Dockerfiles.

Ilya Biryukov via llvm-commits llvm-commits at lists.llvm.org
Fri Aug 18 02:37:23 PDT 2017 

Author: ibiryukov
Date: Fri Aug 18 02:37:23 2017
New Revision: 311152

URL: http://llvm.org/viewvc/llvm-project?rev=311152&view=rev
Log:
Addressed some security issues in Dockerfiles.

Summary:
- Removed --trust-server-cert from `svn checkout` invocations.
  Installing 'ca-certificates' package on ubuntu adds required CAs to
  the system and svn can do proper checkout using https.

- Added checksum verification when installing cmake from cmake.org.

Reviewers: mehdi_amini, klimek

Reviewed By: mehdi_amini

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D36673

Modified:
    llvm/trunk/utils/docker/debian8/build/Dockerfile
    llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
    llvm/trunk/utils/docker/scripts/build_install_llvm.sh

Modified: llvm/trunk/utils/docker/debian8/build/Dockerfile
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/utils/docker/debian8/build/Dockerfile?rev=311152&r1=311151&r2=311152&view=diff
==============================================================================
--- llvm/trunk/utils/docker/debian8/build/Dockerfile (original)
+++ llvm/trunk/utils/docker/debian8/build/Dockerfile Fri Aug 18 02:37:23 2017
@@ -18,14 +18,24 @@ RUN grep deb /etc/apt/sources.list | \
 
 # Install compiler, python and subversion.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends build-essential python2.7 wget \
-            subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates gnupg \
+    	    build-essential python2.7 wget subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
-# Install cmake version that can compile clang into /usr/local.
+# Import public key required for verifying signature of cmake download.
+RUN gpg --keyserver hkp://pgp.mit.edu --recv 0x2D2CEF1034921684
+
+# Download, verify and install cmake version that can compile clang into /usr/local.
 # (Version in debian8 repos is is too old)
-RUN wget -O - "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" | \
-    tar xzf - -C /usr/local --strip-components=1
+RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \
+    gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \
+    ( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \
+      sha256sum -c - ) && \
+    tar xzf cmake-3.7.2-Linux-x86_64.tar.gz -C /usr/local --strip-components=1 && \
+    cd / && rm -rf /tmp/cmake-install
 
 # Arguments passed to build_install_clang.sh.
 ARG buildscript_args

Modified: llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile?rev=311152&r1=311151&r2=311152&view=diff
==============================================================================
--- llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile (original)
+++ llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile Fri Aug 18 02:37:23 2017
@@ -17,7 +17,8 @@ ARG buildscript_args
 
 # Install llvm build dependencies.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends cmake python2.7 subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates cmake python2.7 \
+		    subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
 # Run the build. Results of the build will be available as /tmp/clang.tar.gz.

Modified: llvm/trunk/utils/docker/scripts/build_install_llvm.sh
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/utils/docker/scripts/build_install_llvm.sh?rev=311152&r1=311151&r2=311152&view=diff
==============================================================================
--- llvm/trunk/utils/docker/scripts/build_install_llvm.sh (original)
+++ llvm/trunk/utils/docker/scripts/build_install_llvm.sh Fri Aug 18 02:37:23 2017
@@ -167,20 +167,14 @@ for LLVM_PROJECT in $LLVM_PROJECTS; do
   fi
 
   echo "Checking out https://llvm.org/svn/llvm-project/$SVN_PROJECT to $CLANG_BUILD_DIR/src/$LLVM_PROJECT"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/$SVN_PROJECT/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/$LLVM_PROJECT"
 done
 
 if [ $CLANG_TOOLS_EXTRA_ENABLED -ne 0 ]; then
   echo "Checking out https://llvm.org/svn/llvm-project/clang-tools-extra to $CLANG_BUILD_DIR/src/clang/tools/extra"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/clang-tools-extra/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/clang/tools/extra"
 fi

More information about the llvm-commits mailing list