From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 16 Mar 2017 13:48:08 +0000 (+0100)
Subject: buildserver: support HTTPS Debian mirrors
X-Git-Tag: 0.8~99^2
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=580a9eb058e48751c5bbb3672e454d9340ae9657;p=fdroidserver.git

buildserver: support HTTPS Debian mirrors

The ever troublesome gpjenkins box needs to use HTTPS mirrors.  Plus it
improves the security of the buildserver, since there have been CVEs that
HTTPS would protect against:
https://www.debian.org/security/2016/dsa-3733
---

diff --git a/buildserver/provision-apt-get-install b/buildserver/provision-apt-get-install
index 8edefb50..996454e8 100644
--- a/buildserver/provision-apt-get-install
+++ b/buildserver/provision-apt-get-install
@@ -6,14 +6,19 @@ set -x
 
 debian_mirror=$1
 
-sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list
-
 printf 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";\n' \
        > /etc/apt/apt.conf.d/99no-install-recommends
 
 printf 'APT::Acquire::Retries "20";\n' \
        > /etc/apt/apt.conf.d/99acquire-retries
 
+if echo $debian_mirror | grep '^https' 2>&1 > /dev/null; then
+    apt-get -y update
+    apt-get -y install apt-transport-https
+fi
+
+sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list
+
 if grep --quiet jessie /etc/apt/sources.list; then
     echo "deb $debian_mirror jessie-backports main" > /etc/apt/sources.list.d/backports.list
     echo "deb $debian_mirror testing main" > /etc/apt/sources.list.d/testing.list
diff --git a/jenkins-build-makebuildserver b/jenkins-build-makebuildserver
index 430b27a3..6d459fa5 100755
--- a/jenkins-build-makebuildserver
+++ b/jenkins-build-makebuildserver
@@ -46,7 +46,7 @@ export VAGRANT_HOME=$WORKSPACE/vagrant.d
 mkdir $VAGRANT_HOME
 
 cd $WORKSPACE
-echo "debian_mirror = 'http://ftp.uk.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py
+echo "debian_mirror = 'https://deb.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py
 echo "boot_timeout = 1200" >> $WORKSPACE/makebuildserver.config.py
 echo "apt_package_cache = True" >> $WORKSPACE/makebuildserver.config.py
 ./makebuildserver --verbose --clean