Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefer dget to wget for some debian src downloads #14661

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Prefer dget to wget for some debian src downloads #14661

wants to merge 2 commits into from

Conversation

guillaumelambert
Copy link
Contributor

@guillaumelambert guillaumelambert commented Apr 14, 2023
edited
Loading

  • use dget instead of wget in some Makefiles
  • switch related HTTP URL to HTTPS and official debian mirror when possible
    ( to work, current azure mirror of debian pkg and src requires additional HTTP GET parameters incompatible with dget)

Why I did it

SONiC images compilation is currently designed to be performed with a non-root user under Ubuntu systems.
And the build process recompiles packages for various GNU+Linux Debian distributions.
Though, there is no guarantee that debian repos are declared in /etc/apt/sources.list on the Ubuntu host system used. As a result, 'apt-get source' can not be directly used out-of-the-box. Currently, the packages sources are retrieved from more or less official URLs and locations with dget and wget.

As discussed in the following URL
https://serverfault.com/questions/447457/use-apt-get-source-on-a-debian-repo-without-using-etc-apt-source-list dget is the simplest solution.

wget has several drawbacks from a maintenance and security standpoint:

  • retrieving multiple URLs
  • loose authentication of packages sources especially when retrieved with HTTP instead of HTTPS This is potentially vulnerable to MITM and can induce malicious code injection.

dget by default verifies package signature and can prevent most of such MITM attacks
This verification is sometimes forgotten when multiple wget commands are needed (cf ntp package build)

Which release branch to backport (provide reason below if selected)

potentially all, but it might need slight modifications when cherry-picking

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211

A picture of a cute animal (not mandatory but encouraged)

//
('>
/rr
*))_

@guillaumelambert guillaumelambert force-pushed the wget_to_dget branch 4 times, most recently from 3de6508 to c80fe93 Compare April 14, 2023 20:03
@guillaumelambert
Prefer dget to wget for some debian src downloads
67275cb 
- use dget instead of wget in some Makefiles
- switch related HTTP URL to HTTPS and official debian mirror when
  possible

TODO: migrate azure debian mirror to debian official ones (this might
require upgrading some debian packages version in rules/*.mk)
NB: A more complete solution with apt-get is proposed in
sonic-net#13381

SONiC images compilation is currently designed to be performed with a
non-root user under Ubuntu systems.
And the build process recompiles packages for various GNU+Linux Debian
distributions.
Though, there is no guarantee that debian repos are declared in
/etc/apt/sources.list on the Ubuntu host system used.
As a result, 'apt-get source' can not be directly used out-of-the-box.
Currently, the packages sources are retrieved from more or less official URLs
and locations with dget and wget.

As discussed in the following URL
https://serverfault.com/questions/447457/use-apt-get-source-on-a-debian-repo-without-using-etc-apt-source-list
dget is the simplest solution.

wget has several drawbacks from a maintenance and security standpoint:

- retrieving multiple URLs
- loose authentication of packages sources especially when retrieved with HTTP instead of HTTPS
  This is potentially vulnerable to MITM and can induce malicious code injection.

dget by default verifies package signature and can prevent most of such MITM attacks

Signed-off-by: Guillaume Lambert <guillaume.lambert@orange.com>
@guillaumelambert
Fix ifupdown2 build
6162a99 
Signed-off-by: Guillaume Lambert <guillaume.lambert@orange.com>
@guillaumelambert guillaumelambert marked this pull request as ready for review April 20, 2023 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@guillaumelambert