Skip to content

fix(build): preserve signed Ubuntu apt sources#77

Merged
JSONbored merged 1 commit into
mainfrom
codex/fix-mem0-ports-mirror-publish-2026-05-10
May 10, 2026
Merged

fix(build): preserve signed Ubuntu apt sources#77
JSONbored merged 1 commit into
mainfrom
codex/fix-mem0-ports-mirror-publish-2026-05-10

Conversation

@JSONbored
Copy link
Copy Markdown
Owner

@JSONbored JSONbored commented May 10, 2026

Summary

  • preserve the official Ubuntu base-image apt source URIs instead of rewriting Ubuntu archive/ports sources to HTTPS
  • require Ubuntu archive Signed-By metadata and reject unsupported plaintext apt sources
  • keep strict TLS verification for HTTPS apt sources and the existing apt retry/timeout hardening
  • update the Dockerfile regression test to cover the corrected signed-source policy

What changed

  • removed the blanket http:// to https:// rewrite from the Docker build bootstrap
  • added a source guard for official Ubuntu HTTP archives and arbitrary HTTPS sources
  • retained APT retry, host queue mode, IPv4, timeout, and TLS verification settings
  • updated security-default tests so this cannot regress back to forced HTTPS ports behavior

Why

The previous hardening forced Ubuntu ports traffic over HTTPS. That diverged from the official Ubuntu arm64 base image source configuration and repeatedly broke remote multi-arch package builds in the publish job. Ubuntu archive package authenticity is provided by signed archive metadata and the Ubuntu archive keyring; the safer operational policy here is to preserve signed official Ubuntu archive sources and block unknown plaintext repositories.

Validation

  • uv run --with pytest --with defusedxml pytest tests/template/test_security_defaults.py
  • docker buildx build --no-cache --progress=plain --platform linux/arm64 --load -t mem0-aio:arm64-apt-http .
  • docker buildx build --no-cache --progress=plain --platform linux/amd64 --load -t mem0-aio:amd64-apt-http .
  • uv run --with pytest --with defusedxml pytest (23 passed in 177.87s)
  • git diff --check
  • aio-fleet validate-repo --repo mem0-aio --repo-path /Users/shadowbook/.codex/worktrees/security-2026-05-09/mem0-aio
  • aio-fleet trunk run --repo mem0-aio --repo-path /Users/shadowbook/.codex/worktrees/security-2026-05-09/mem0-aio --no-fix

Notes

This is intended to unblock the normal aio-fleet publish path for mem0-aio. It does not create a formal GitHub Release; app images/packages publish from main, while formal releases remain release-driven.

@JSONbored JSONbored merged commit 74b8542 into main May 10, 2026
3 checks passed
@JSONbored JSONbored deleted the codex/fix-mem0-ports-mirror-publish-2026-05-10 branch May 10, 2026 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored