llvm.org GIT mirror llvm / 9ad4660
Addressed some security issues in Dockerfiles. Summary: - Removed --trust-server-cert from `svn checkout` invocations. Installing 'ca-certificates' package on ubuntu adds required CAs to the system and svn can do proper checkout using https. - Added checksum verification when installing cmake from cmake.org. Reviewers: mehdi_amini, klimek Reviewed By: mehdi_amini Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D36673 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@311152 91177308-0d34-0410-b5e6-96231b3b80d8 Ilya Biryukov 2 years ago
3 changed file(s) with 19 addition(s) and 14 deletion(s). Raw diff Collapse all Expand all
1717
1818 # Install compiler, python and subversion.
1919 RUN apt-get update && \
20 apt-get install -y --no-install-recommends build-essential python2.7 wget \
21 subversion ninja-build && \
20 apt-get install -y --no-install-recommends ca-certificates gnupg \
21 build-essential python2.7 wget subversion ninja-build && \
2222 rm -rf /var/lib/apt/lists/*
2323
24 # Install cmake version that can compile clang into /usr/local.
24 # Import public key required for verifying signature of cmake download.
25 RUN gpg --keyserver hkp://pgp.mit.edu --recv 0x2D2CEF1034921684
26
27 # Download, verify and install cmake version that can compile clang into /usr/local.
2528 # (Version in debian8 repos is is too old)
26 RUN wget -O - "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" | \
27 tar xzf - -C /usr/local --strip-components=1
29 RUN mkdir /tmp/cmake-install && cd /tmp/cmake-install && \
30 wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt.asc" && \
31 wget "https://cmake.org/files/v3.7/cmake-3.7.2-SHA-256.txt" && \
32 gpg --verify cmake-3.7.2-SHA-256.txt.asc cmake-3.7.2-SHA-256.txt && \
33 wget "https://cmake.org/files/v3.7/cmake-3.7.2-Linux-x86_64.tar.gz" && \
34 ( grep "cmake-3.7.2-Linux-x86_64.tar.gz" cmake-3.7.2-SHA-256.txt | \
35 sha256sum -c - ) && \
36 tar xzf cmake-3.7.2-Linux-x86_64.tar.gz -C /usr/local --strip-components=1 && \
37 cd / && rm -rf /tmp/cmake-install
2838
2939 # Arguments passed to build_install_clang.sh.
3040 ARG buildscript_args
1616
1717 # Install llvm build dependencies.
1818 RUN apt-get update && \
19 apt-get install -y --no-install-recommends cmake python2.7 subversion ninja-build && \
19 apt-get install -y --no-install-recommends ca-certificates cmake python2.7 \
20 subversion ninja-build && \
2021 rm -rf /var/lib/apt/lists/*
2122
2223 # Run the build. Results of the build will be available as /tmp/clang.tar.gz.
166166 fi
167167
168168 echo "Checking out https://llvm.org/svn/llvm-project/$SVN_PROJECT to $CLANG_BUILD_DIR/src/$LLVM_PROJECT"
169 # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
170 # trusted' error. Using https seems preferable to http either way,
171 # albeit this is not secure.
172 svn co -q $SVN_REV_ARG --trust-server-cert \
169 svn co -q $SVN_REV_ARG \
173170 "https://llvm.org/svn/llvm-project/$SVN_PROJECT/$LLVM_BRANCH" \
174171 "$CLANG_BUILD_DIR/src/$LLVM_PROJECT"
175172 done
176173
177174 if [ $CLANG_TOOLS_EXTRA_ENABLED -ne 0 ]; then
178175 echo "Checking out https://llvm.org/svn/llvm-project/clang-tools-extra to $CLANG_BUILD_DIR/src/clang/tools/extra"
179 # FIXME: --trust-server-cert is required to workaround 'SSL issuer is not
180 # trusted' error. Using https seems preferable to http either way,
181 # albeit this is not secure.
182 svn co -q $SVN_REV_ARG --trust-server-cert \
176 svn co -q $SVN_REV_ARG \
183177 "https://llvm.org/svn/llvm-project/clang-tools-extra/$LLVM_BRANCH" \
184178 "$CLANG_BUILD_DIR/src/clang/tools/extra"
185179 fi