From 580a9eb058e48751c5bbb3672e454d9340ae9657 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 16 Mar 2017 14:48:08 +0100
Subject: [PATCH] buildserver: support HTTPS Debian mirrors

The ever troublesome gpjenkins box needs to use HTTPS mirrors.  Plus it
improves the security of the buildserver, since there have been CVEs that
HTTPS would protect against:
https://www.debian.org/security/2016/dsa-3733
---
 buildserver/provision-apt-get-install | 9 +++++++--
 jenkins-build-makebuildserver         | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/buildserver/provision-apt-get-install b/buildserver/provision-apt-get-install
index 8edefb50..996454e8 100644
--- a/buildserver/provision-apt-get-install
+++ b/buildserver/provision-apt-get-install
@@ -6,14 +6,19 @@ set -x
 
 debian_mirror=$1
 
-sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list
-
 printf 'APT::Install-Recommends "0";\nAPT::Install-Suggests "0";\n' \
        > /etc/apt/apt.conf.d/99no-install-recommends
 
 printf 'APT::Acquire::Retries "20";\n' \
        > /etc/apt/apt.conf.d/99acquire-retries
 
+if echo $debian_mirror | grep '^https' 2>&1 > /dev/null; then
+    apt-get -y update
+    apt-get -y install apt-transport-https
+fi
+
+sed -i "s,http://ftp.uk.debian.org/debian/,${debian_mirror},g" /etc/apt/sources.list
+
 if grep --quiet jessie /etc/apt/sources.list; then
     echo "deb $debian_mirror jessie-backports main" > /etc/apt/sources.list.d/backports.list
     echo "deb $debian_mirror testing main" > /etc/apt/sources.list.d/testing.list
diff --git a/jenkins-build-makebuildserver b/jenkins-build-makebuildserver
index 430b27a3..6d459fa5 100755
--- a/jenkins-build-makebuildserver
+++ b/jenkins-build-makebuildserver
@@ -46,7 +46,7 @@ export VAGRANT_HOME=$WORKSPACE/vagrant.d
 mkdir $VAGRANT_HOME
 
 cd $WORKSPACE
-echo "debian_mirror = 'http://ftp.uk.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py
+echo "debian_mirror = 'https://deb.debian.org/debian/'" > $WORKSPACE/makebuildserver.config.py
 echo "boot_timeout = 1200" >> $WORKSPACE/makebuildserver.config.py
 echo "apt_package_cache = True" >> $WORKSPACE/makebuildserver.config.py
 ./makebuildserver --verbose --clean
-- 
2.30.2