From 492698715ad65258678910480d804a5a44a03f88 Mon Sep 17 00:00:00 2001 From: Florian Maury Date: Fri, 9 Sep 2022 17:36:39 +0200 Subject: [PATCH] Fix format for debootstrap command --- posts/debootscrap.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/posts/debootscrap.md b/posts/debootscrap.md index 85050ac..5d65742 100644 --- a/posts/debootscrap.md +++ b/posts/debootscrap.md @@ -20,7 +20,7 @@ lang: en At Gatewatcher[^GW], we put efforts in making our building system reproducible and working offline, so that we can reduce the risk of supply chain attacks. Some efforts are also made so that our building system run with as few -privileges as possible. +privileges as possible. [^GW]: https://www.gatewatcher.com/ One of the few things we were still running as a privileged user recently was @@ -33,8 +33,8 @@ from a web server, does no verification whatsoever of that blob and ships it as the root filesystem[^debdock]. Even though the root filesystem they are using can be rebuilt in a reproducible way, downloading the result from Internet without verifying it against the expected hash is sort of missing the point of -reproducible builds. Also, debuerreotype uses debootstrap, which is problematic -in itself, as explained hereafter. +reproducible builds. Also, debuerreotype uses `debootstrap`, which is +problematic in itself, as explained hereafter. [^debdock]: https://github.com/debuerreotype/docker-debian-artifacts/blob/master/download.sh#L7 To create such root filesystem, multiple tools are provided by the Debian team, @@ -97,7 +97,7 @@ $ readlink /path/to/my/chroot/usr/sbin/telinit After some verifications, we decided that it was safe to fake the use of `fakechroot`, while using the "fakechroot" installation variant. For this, we set the environment variable `FAKECHROOT` to `true`, which fakechroot is -supposed to set and which is controlled by debootstrap to authorize the use of +supposed to set and which is controlled by `debootstrap` to authorize the use of the "fakechroot" variant. And it worked. So to build a working root filesystem from an unprivileged user, we are now