Fix expired Valid-Until bypass missing on second apt-get update in builder-buster#24
Fix expired Valid-Until bypass missing on second apt-get update in builder-buster#24hsbt merged 2 commits intosplit-image-buildfrom
Conversation
…er-buster Co-authored-by: hsbt <12301+hsbt@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR stabilizes the builder-buster Docker build stage by ensuring apt metadata expiration checks are consistently bypassed when updating from archive.debian.org (Debian Buster).
Changes:
- Adds
-o Acquire::Check-Valid-Until=falseto the secondapt-get updatein thebuilder-busterstage.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| RUN dpkg --add-architecture i386 \ | ||
| && echo "deb-src http://archive.debian.org/debian/ buster main" > /etc/apt/sources.list.d/deb-src.list \ | ||
| && echo 'Dpkg::Use-Pty "0";\nquiet "2";\nAPT::Install-Recommends "0";' > /etc/apt/apt.conf.d/99autopilot \ | ||
| && echo 'Acquire::HTTP::No-Cache "True";' > /etc/apt/apt.conf.d/99no-cache \ | ||
| && apt-get update \ | ||
| && apt-get update -o Acquire::Check-Valid-Until=false \ |
There was a problem hiding this comment.
This stage now passes -o Acquire::Check-Valid-Until=false, but the flag is duplicated across multiple apt-get update calls (and was easy to miss previously). Consider setting Acquire::Check-Valid-Until "false"; in an apt.conf.d file for the builder-buster stage instead, so any future apt-get update/apt invocations inherit it automatically.
| && echo 'Dpkg::Use-Pty "0";\nquiet "2";\nAPT::Install-Recommends "0";' > /etc/apt/apt.conf.d/99autopilot \ | ||
| && echo 'Acquire::HTTP::No-Cache "True";' > /etc/apt/apt.conf.d/99no-cache \ | ||
| && apt-get update \ | ||
| && apt-get update -o Acquire::Check-Valid-Until=false \ |
There was a problem hiding this comment.
Disabling APT’s Valid-Until check via -o Acquire::Check-Valid-Until=false weakens the repository freshness guarantee and enables replay/freeze attacks on package metadata. A network attacker who can intercept HTTP traffic to the Debian archive can replay an older, still-signed Release file and package index, causing your build to pull stale or more vulnerable package versions than intended. Consider avoiding this override if possible (e.g., by using a maintained base image, pinned snapshot, or other mechanism) so that APT continues enforcing metadata expiration.
The
builder-busterstage targetsarchive.debian.org(Buster), whose metadata has expiredValid-Untilheaders. The firstapt-get updatecorrectly bypassed this with-o Acquire::Check-Valid-Until=false, but the secondapt-get update— run after adding the i386 architecture anddeb-src— was missing the flag, causing flaky/failing builds.Change
-o Acquire::Check-Valid-Until=falseto the secondapt-get updateinbuilder-buster:💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.