lxc-debian: avoid installing unauthenticated packages

--force-yes is deprecated, and is a shortcut for
--allow-unauthenticated, --allow-downgrades, --allow-remove-essential,
--allow-change-held-packages. --allow-unauthenticated is the only
likely to be needed here, so instead of allowing unauthenticated
packages, copy any custom keyring used inside the rootfs so any packages
we need to install are properly authenticated. The common case is
debian-ports-archive-keyring.

Signed-off-by: Antonio Terceiro <terceiro@debian.org>
This commit is contained in:
Antonio Terceiro 2022-04-10 06:20:18 -03:00
parent 4b041f1d18
commit 56a2d30c41

View File

@ -269,7 +269,7 @@ install_packages()
local packages="$*" local packages="$*"
if [ -n "${packages}" ] && apt_update_packages; then if [ -n "${packages}" ] && apt_update_packages; then
chroot "${rootfs}" apt-get install --force-yes -y --no-install-recommends ${packages} chroot "${rootfs}" apt-get install -y --no-install-recommends ${packages}
elif [ -n "${packages}" ]; then elif [ -n "${packages}" ]; then
echo "Apt update failed, not downloading packages" echo "Apt update failed, not downloading packages"
fi fi
@ -614,6 +614,13 @@ EOF
write_sourceslist "${rootfs}" "${release}" write_sourceslist "${rootfs}" "${release}"
fi fi
# Copy non-standard keyring inside rootfs
local extra_keyring
extra_keyring="${rootfs}/etc/apt/trusted.gpg.d/lxc-create-$(basename "${KEYRING}")"
if [ "${KEYRING}" != "${DEBIAN_ARCHIVE_KEYRING}" ]; then
cp "${KEYRING}" "${extra_keyring}"
fi
# Install Packages in container # Install Packages in container
if [ -n "${packages}" ]; then if [ -n "${packages}" ]; then
local pack_list local pack_list