Fix format for debootstrap command
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
0346407664
commit
492698715a
1 changed files with 4 additions and 4 deletions
|
|
@ -20,7 +20,7 @@ lang: en
|
||||||
At Gatewatcher[^GW], we put efforts in making our building system reproducible
|
At Gatewatcher[^GW], we put efforts in making our building system reproducible
|
||||||
and working offline, so that we can reduce the risk of supply chain attacks.
|
and working offline, so that we can reduce the risk of supply chain attacks.
|
||||||
Some efforts are also made so that our building system run with as few
|
Some efforts are also made so that our building system run with as few
|
||||||
privileges as possible.
|
privileges as possible.
|
||||||
[^GW]: https://www.gatewatcher.com/
|
[^GW]: https://www.gatewatcher.com/
|
||||||
|
|
||||||
One of the few things we were still running as a privileged user recently was
|
One of the few things we were still running as a privileged user recently was
|
||||||
|
|
@ -33,8 +33,8 @@ from a web server, does no verification whatsoever of that blob and ships it as
|
||||||
the root filesystem[^debdock]. Even though the root filesystem they are using
|
the root filesystem[^debdock]. Even though the root filesystem they are using
|
||||||
can be rebuilt in a reproducible way, downloading the result from Internet
|
can be rebuilt in a reproducible way, downloading the result from Internet
|
||||||
without verifying it against the expected hash is sort of missing the point of
|
without verifying it against the expected hash is sort of missing the point of
|
||||||
reproducible builds. Also, debuerreotype uses debootstrap, which is problematic
|
reproducible builds. Also, debuerreotype uses `debootstrap`, which is
|
||||||
in itself, as explained hereafter.
|
problematic in itself, as explained hereafter.
|
||||||
[^debdock]: https://github.com/debuerreotype/docker-debian-artifacts/blob/master/download.sh#L7
|
[^debdock]: https://github.com/debuerreotype/docker-debian-artifacts/blob/master/download.sh#L7
|
||||||
|
|
||||||
To create such root filesystem, multiple tools are provided by the Debian team,
|
To create such root filesystem, multiple tools are provided by the Debian team,
|
||||||
|
|
@ -97,7 +97,7 @@ $ readlink /path/to/my/chroot/usr/sbin/telinit
|
||||||
After some verifications, we decided that it was safe to fake the use of
|
After some verifications, we decided that it was safe to fake the use of
|
||||||
`fakechroot`, while using the "fakechroot" installation variant. For this, we
|
`fakechroot`, while using the "fakechroot" installation variant. For this, we
|
||||||
set the environment variable `FAKECHROOT` to `true`, which fakechroot is
|
set the environment variable `FAKECHROOT` to `true`, which fakechroot is
|
||||||
supposed to set and which is controlled by debootstrap to authorize the use of
|
supposed to set and which is controlled by `debootstrap` to authorize the use of
|
||||||
the "fakechroot" variant. And it worked.
|
the "fakechroot" variant. And it worked.
|
||||||
|
|
||||||
So to build a working root filesystem from an unprivileged user, we are now
|
So to build a working root filesystem from an unprivileged user, we are now
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue