This repo contains plain text files for the packages approved for installation in restricted build environments,
specifically meant for use with the apt_packages addon in
travis-build.
PLEASE READ CAREFULLY!
-
Check the list of approved packages for your build environment (most likely
ubuntu-precise). -
If it's not in there, check for existing issues and pull requests requesting the package you want, and if one doesn't exist please open an issue requesting the package you need in the this repo (and be sure to replace
__PACKAGE__in the issue title). -
Currently, we are in the process of automating request approval process.
-
This means that the issues' subject should follow exactly the one indicated. That is, there should be exactly one package per issue. The process would not work with multiple package requests in one issue.
-
If the source package defines multiple packages, those will be processed at once. In this case, list only one.
-
PRs are not accepted, since we have not run tests on them.
-
The automation process will test the source package as described below.
-
If no issues are found, a PR will be opened, and it will be merged shortly thereafter.
-
If no matching source packages is found, a comment indicating this is posted on the issue. This means that either the package name is incorrect, or that your request requires a package repository that is not currently listed in APT source whitelist.
-
The command
```shell
grep -R -i -H -C5 -E --color 'set(uid|euid|gid)' --exclude install-sh .
```
is run on the source package. If any file matches, a comment to this effect will be posted on the issue, prompting further examination. If no further problems are found in the further examination, it will be added to the list.
The approval process is mostly about ensuring the .deb installation hooks don't do anything malicious or goofy that
would open up a container to potential attack from a neighbor. The primary concern is protecting Travis CI customers
and their property 🤘. The steps go like this (for ubuntu precise), much of which is also available as the
travis-download-deb-sources executable within the vagrant box:
- Bring up the vagrant box:
vagrant up trusty - SSH into the vagrant box:
vagrant ssh trusty - Start the Travis Ruby container:
sudo -u ubuntu -i docker run -v /var/tmp:/var/tmp -d travis:ruby - Get the container's IP address:
docker inspect <container-id> - SSH into the container:
ssh travis@<container-ip>(password=travis) - Freshen up the apt cache:
sudo apt-get update - Move into the shared dir or sub directory, e.g.:
mkdir -p /var/tmp/deb-sources ; cd /var/tmp/deb-sources - Grab the package sources:
apt-get source <package-name> - Take a look at the package's extracted hooks:
cd <package-name>/debian ; vim *pre* *post* *inst*(see inspecting packages) - If no malicious or goofy bits are found, 👍
If you work with this repository, installing this pre-commit hook (in your local ~/.git/hooks/pre-commit)
will make your life so much easier:
make sort
git add ubuntu-{precise,trusty}This ensures that the files we need are always sorted without duplicates or blank lines.
- Bring up the vagrant box:
vagrant up trusty - SSH into the vagrant box:
vagrant ssh trusty - Run the
travis-download-deb-sourcesscript for the package in question, e.g.:sudo -u ubuntu -i travis-download-deb-sources git - Proceed with inspecting the
debian/*pre*anddebian/*post*hook scripts. (see inspecting packages)
All together now, for poppler-utils:
# inside the vagrant box
sudo -u ubuntu -i -- travis-download-deb-sources poppler-utils
cd /var/tmp/shared/deb-sources/poppler-0.18.4/debian
vi *{pre,post,inst}*(If you don't have the pre-commit hook)
# either inside the vagrant box in /vagrant or outside in the repo top level
make add PACKAGE=poppler-utils
git commit -vThe big things to worry about are if any of the debian hook scripts are doing malicious or silly things, or if the
package being installed depends on setuid or setgid.
# move into the `deb-sources` directory
pushd /var/tmp/shared/deb-sources
# look for `setuid`, `seteuid`, and `setgid` usage, except for mentions in `install-sh`
grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b'
# if the above `grep` finds anything, take a closer look:
vi $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')
# move into the `debian` directory
pushd $(find . -name debian | head -1)
# take a look at the hook scripts and such
shopt -s nullglob
vi *{pre,post,inst}*There is a helper script at ./bin/travis-list-apt-whitelist-issues which may be used to query the open APT whitelist
requests, as well as for automatic commit message formatting, e.g.:
# list everything
./bin/travis-list-apt-whitelist-issues
# Show only the generated commit messages
./bin/travis-list-apt-whitelist-issues | jq -r .commit_messageFirst things first
shopt -s nullglobGrab 1 or more packages
for pkg in abc def xyz ; do
sudo -u ubuntu -- /usr/local/bin/travis-download-deb-sources "${pkg}" ;
doneEdit any matches for set(uid|euid|gid|egid)
vim $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')Edit any debian package files
for d in $(find . -name debian) ; do
pushd $d && vim *{pre,post,inst}* ; popd ;
doneIf all clear, list all audited package names on one line
for d in $(find . -name debian) ; do
pushd $d &>/dev/null && \
grep ^Package control | awk -F: '{ print $2 }' | xargs echo ;
popd &>/dev/null ;
done | xargs echoBack outside of the Vagrant box, pass this list of packages for addition. Adding both the package name and its' :i386 variant is not always necessary, but doesn't hurt.
(If you don't have the pre-commit hook)
for pkg in abc def xyz ; do
make add PACKAGE=$pkg
make add PACKAGE=${pkg}:i386
doneGrab the generated commit message
./bin/travis-list-apt-whitelist-issues | jq -r '.commit_message' | grep -A2 abcCommit and push, then restart all travis-build apps with a bit o' sleep
for app in $(hk apps | awk '/travis.*build-(prod|stag)/ { print $1 }') ; do
hk restart -a ${app} ;
sleep 5 ;
done