[PATCH] D36673: Addressed some security issues in Dockerfiles.

Phabricator via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Aug 18 02:38:35 PDT 2017 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL311152: Addressed some security issues in Dockerfiles. (authored by ibiryukov).

Repository:
  rL LLVM

https://reviews.llvm.org/D36673

Files:
  llvm/trunk/utils/docker/debian8/build/Dockerfile
  llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
  llvm/trunk/utils/docker/scripts/build_install_llvm.sh


Index: llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
===================================================================
--- llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
+++ llvm/trunk/utils/docker/nvidia-cuda/build/Dockerfile
@@ -17,7 +17,8 @@
 
 # Install llvm build dependencies.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends cmake python2.7 subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates cmake python2.7 \
+		    subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
 # Run the build. Results of the build will be available as /tmp/clang.tar.gz.
Index: llvm/trunk/utils/docker/debian8/build/Dockerfile
===================================================================
--- llvm/trunk/utils/docker/debian8/build/Dockerfile
+++ llvm/trunk/utils/docker/debian8/build/Dockerfile
@@ -18,14 +18,24 @@
 
 # Install compiler, python and subversion.
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends build-essential python2.7 wget \
-            subversion ninja-build && \
+    apt-get install -y --no-install-recommends ca-certificates gnupg \
+    	    build-essential python2.7 wget subversion ninja-build && \
     rm -rf /var/lib/apt/lists/*
 
-# Install cmake version that can compile clang into /usr/local.
+# Import public key required for verifying signature of cmake download.
+RUN gpg --keyserver hkp://pgp.mit.edu --recv 0x2D2CEF1034921684
+
+# Download, verify and install cmake version that can compile clang into /usr/local.
 # (Version in debian8 repos is is too old)
-RUN wget -O - "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" | \
-    tar xzf - -C /usr/local --strip-components=1
+RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \
+    gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \
+    wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \
+    ( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \
+      sha256sum -c - ) && \
+    tar xzf cmake-3.7.2-Linux-x86_64.tar.gz -C /usr/local --strip-components=1 && \
+    cd / && rm -rf /tmp/cmake-install
 
 # Arguments passed to build_install_clang.sh.
 ARG buildscript_args
Index: llvm/trunk/utils/docker/scripts/build_install_llvm.sh
===================================================================
--- llvm/trunk/utils/docker/scripts/build_install_llvm.sh
+++ llvm/trunk/utils/docker/scripts/build_install_llvm.sh
@@ -167,20 +167,14 @@
   fi
 
   echo "Checking out https://llvm.org/svn/llvm-project/$SVN_PROJECT to $CLANG_BUILD_DIR/src/$LLVM_PROJECT"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/$SVN_PROJECT/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/$LLVM_PROJECT"
 done
 
 if [ $CLANG_TOOLS_EXTRA_ENABLED -ne 0 ]; then
   echo "Checking out https://llvm.org/svn/llvm-project/clang-tools-extra to $CLANG_BUILD_DIR/src/clang/tools/extra"
-  # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
-  #        trusted' error. Using https seems preferable to http either way,
-  #        albeit this is not secure.
-  svn co -q $SVN_REV_ARG --trust-server-cert \
+  svn co -q $SVN_REV_ARG \
     "https://llvm.org/svn/llvm-project/clang-tools-extra/$LLVM_BRANCH" \
     "$CLANG_BUILD_DIR/src/clang/tools/extra"
 fi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D36673.111641.patch
Type: text/x-patch
Size: 3715 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170818/32f242ed/attachment.bin>

More information about the llvm-commits mailing list