Compare commits

..

No commits in common. "48726ae4f2d61ece9b697efbe00e0da55de3748e" and "b489017aaa4d18647e4ce1acdc82447f04f9d64f" have entirely different histories.

37 changed files with 22 additions and 509 deletions

127
Makefile
View File

@ -1,125 +1,40 @@
export SOURCE_DATE_EPOCH = 0
out/bootstrap.oci.tgz:
docker build -t imgrep/bootstrap --output type=oci,dest=$@ bootstrap
docker build -t imgrep/bootstrap --output type=oci,dest=$@ packages/bootstrap
out/musl.oci.tgz: \
out/bootstrap.oci.tgz
docker build -t imgrep/musl --output type=oci,dest=$@ musl
docker build -t imgrep/musl --output type=oci,dest=$@ packages/musl
out/busybox.oci.tgz: \
out/bootstrap.oci.tgz
docker build -t imgrep/busybox --output type=oci,dest=$@ busybox
docker build -t imgrep/busybox --output type=oci,dest=$@ packages/busybox
out/binutils.oci.tgz: \
out/bootstrap.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/binutils --output type=oci,dest=$@ binutils
docker build -t imgrep/binutils --output type=oci,dest=$@ packages/binutils
out/linux-headers.oci.tgz:
docker build -t imgrep/linux-headers --output type=oci,dest=$@ linux-headers
docker build -t imgrep/linux-headers --output type=oci,dest=$@ packages/linux-headers
out/gcc.oci.tgz: \
out/bootstrap.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/gcc --output type=oci,dest=$@ gcc
docker build -t imgrep/gcc --output type=oci,dest=$@ packages/gcc
out/make.oci.tgz: \
out/bootstrap.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/make --output type=oci,dest=$@ make
docker build -t imgrep/make --output type=oci,dest=$@ packages/make
out/ca-certificates.oci.tgz:
docker build -t imgrep/ca-certificates --output type=oci,dest=$@ ca-certificates
docker build -t imgrep/ca-certificates --output type=oci,dest=$@ packages/ca-certificates
out/bash.oci.tgz: \
out/gcc.oci.tgz
docker build -t imgrep/bash --output type=oci,dest=$@ bash
out/m4.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz
docker build -t imgrep/m4 --output type=oci,dest=$@ m4
out/autoconf.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/perl.oci.tgz \
out/m4.oci.tgz
docker build -t imgrep/autoconf --output type=oci,dest=$@ autoconf
out/automake.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/perl.oci.tgz \
out/autoconf.oci.tgz \
out/m4.oci.tgz
docker build -t imgrep/automake --output type=oci,dest=$@ automake
out/sed.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz
docker build -t imgrep/sed --output type=oci,dest=$@ sed
out/libtool.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/bash.oci.tgz \
out/sed.oci.tgz \
out/m4.oci.tgz
docker build -t imgrep/libtool --output type=oci,dest=$@ libtool
out/pkgconf.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/libtool.oci.tgz
docker build -t imgrep/pkgconf --output type=oci,dest=$@ pkgconf
out/libxml2.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/bash.oci.tgz \
out/python.oci.tgz \
out/sed.oci.tgz \
out/m4.oci.tgz \
out/autoconf.oci.tgz \
out/automake.oci.tgz \
out/pkgconf.oci.tgz \
out/libtool.oci.tgz
docker build -t imgrep/libxml2 --output type=oci,dest=$@ libxml2
out/libunwind.oci.tgz: \
out/busybox.oci.tgz \
out/gcc.oci.tgz \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz \
out/bash.oci.tgz \
out/autoconf.oci.tgz \
out/automake.oci.tgz \
out/libtool.oci.tgz
docker build -t imgrep/libunwind --output type=oci,dest=$@ libunwind
docker build -t imgrep/bash --output type=oci,dest=$@ packages/bash
out/openssl.oci.tgz: \
out/gcc.oci.tgz \
@ -127,7 +42,7 @@ out/openssl.oci.tgz: \
out/busybox.oci.tgz \
out/linux-headers.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/openssl --output type=oci,dest=$@ openssl
docker build -t imgrep/openssl --output type=oci,dest=$@ packages/openssl
out/go.oci.tgz: \
out/gcc.oci.tgz \
@ -135,7 +50,7 @@ out/go.oci.tgz: \
out/busybox.oci.tgz \
out/bash.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/go --output type=oci,dest=$@ go
docker build -t imgrep/go --output type=oci,dest=$@ packages/go
out/perl.oci.tgz: \
out/gcc.oci.tgz \
@ -143,7 +58,7 @@ out/perl.oci.tgz: \
out/busybox.oci.tgz \
out/make.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/perl --output type=oci,dest=$@ perl
docker build -t imgrep/perl --output type=oci,dest=$@ packages/perl
out/curl.oci.tgz: \
out/gcc.oci.tgz \
@ -153,7 +68,7 @@ out/curl.oci.tgz: \
out/binutils.oci.tgz \
out/openssl.oci.tgz \
out/ca-certificates.oci.tgz
docker build -t imgrep/curl --output type=oci,dest=$@ curl
docker build -t imgrep/curl --output type=oci,dest=$@ packages/curl
out/python.oci.tgz: \
out/gcc.oci.tgz \
@ -163,7 +78,7 @@ out/python.oci.tgz: \
out/openssl.oci.tgz \
out/make.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/python --output type=oci,dest=$@ python
docker build -t imgrep/python --output type=oci,dest=$@ packages/python
out/ninja.oci.tgz: \
out/busybox.oci.tgz \
@ -173,7 +88,7 @@ out/ninja.oci.tgz: \
out/make.oci.tgz \
out/openssl.oci.tgz \
out/python.oci.tgz
docker build -t imgrep/ninja --output type=oci,dest=$@ ninja
docker build -t imgrep/ninja --output type=oci,dest=$@ packages/ninja
out/cmake.oci.tgz: \
out/busybox.oci.tgz \
@ -183,12 +98,12 @@ out/cmake.oci.tgz: \
out/musl.oci.tgz \
out/make.oci.tgz \
out/linux-headers.oci.tgz
docker build -t imgrep/cmake --output type=oci,dest=$@ cmake
docker build -t imgrep/cmake --output type=oci,dest=$@ packages/cmake
out/py-setuptools.oci.tgz: \
out/busybox.oci.tgz \
out/python.oci.tgz
docker build -t imgrep/py-setuptools --output type=oci,dest=$@ py-setuptools
docker build -t imgrep/py-setuptools --output type=oci,dest=$@ packages/py-setuptools
out/zlib.oci.tgz: \
out/busybox.oci.tgz \
@ -196,7 +111,7 @@ out/zlib.oci.tgz: \
out/binutils.oci.tgz \
out/musl.oci.tgz \
out/make.oci.tgz
docker build -t imgrep/zlib --output type=oci,dest=$@ zlib
docker build -t imgrep/zlib --output type=oci,dest=$@ packages/zlib
out/llvm.oci.tgz: \
out/gcc.oci.tgz \
@ -208,7 +123,7 @@ out/llvm.oci.tgz: \
out/ninja.oci.tgz \
out/busybox.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/llvm --output type=oci,dest=$@ llvm
docker build -t imgrep/llvm --output type=oci,dest=$@ packages/llvm
out/llvm13.oci.tgz: \
out/gcc.oci.tgz \
@ -220,7 +135,7 @@ out/llvm13.oci.tgz: \
out/ninja.oci.tgz \
out/busybox.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/llvm13 --output type=oci,dest=$@ llvm13
docker build -t imgrep/llvm13 --output type=oci,dest=$@ packages/llvm13
out/rust.oci.tgz: \
out/gcc.oci.tgz \
@ -232,7 +147,7 @@ out/rust.oci.tgz: \
out/make.oci.tgz \
out/busybox.oci.tgz \
out/musl.oci.tgz
docker build -t imgrep/rust --output type=oci,dest=$@ rust
docker build -t imgrep/rust --output type=oci,dest=$@ packages/rust
test:
docker build -t imgrep/test-c tests/c

118
README.md
View File

@ -1,118 +0,0 @@
# ImgRep
Repository of reproducibly built images of common open source Linux toolchains
and software with reputation anchored signatures.
## About
We have learned a lot of lessons about supply chain integrity over the years,
and the greatest of them may be that any system that is complex to review and
assigns trust of significant components to single human points of failure, is
doomed to have failure.
Most linux distributions rely on complex package management systems for which
only a single implementation exists. They assign package signing privileges to
individual maintainers at best. Modern popular distros often fail to even do
this, having a central machine somewhere blindly signing all unsigned
contributions from the public.
We will cover an exhaustive comparison of the supply chain strategies of other
linux distros elsewhere, but suffice to say while many are pursuing
reproducible builds, minimalism, or signing... any one distro delivering on all
of these does not seem in the cards any time soon.
This is generally a human problem. Most distros end up generating a lot of
custom tooling for package management, which in turn rapidly grows in
complexity to meet demands ranging from hobby desktop systems production
servers.
This complexity demands a lot of cycles to maintain, and this means in practice
lowering the barrier to entry to allow any hobbyist to contribute and maintain
packages with minimal friction and rarely a requirement of signing keys or
mandatory reproducible builds, let alone multiple signed reproduction proofs.
Suffice to say, we feel every current Linux distribution has single points of
human failure, or review complexity, that makes it undesirable for threat
models that assume any single human can be hacked or coerced.
## Building
### Requirements
* An OCI building runtime
* Currently Docker supported, but will support buildah and podman
* Gnu Make
### Examples
#### Compile all packages
```
make
```
#### Compile specific package
```
make out/rust.tgz
```
#### Reproduce all changed packages
```
make reproduce
```
#### Reproduce all packages without cache
```
make clean reproduce
```
#### Sign current manifest of package hashes
```
make sign
```
## Goals
Not all of these goals are realized yet, but should at least help you decide
if this project is something you want to contribute to or keep an eye on for
the future.
### Integrity
* Anyone can reproduce the entire tree with tools from their current distro
* Hosted CI servers auto-sign confirmed deterministic builds
* Like NixOS
* Maintainers sign all package additions/changes
* Like Gentoo, Debian, Fedora, Guix
* Reviewers locally build and counter-sign all new binary packages
* No one does this, as far as we can tell.
### Reproducibility
* Trust no single external source of binaries
* Bootstrap from two different third party signed distros
* Never use external binaries
* Bootstrap from 0, always, even if it means going back in time
* Go, rust require extensive work to bootstrap all the way back to gcc
* Guix is the only distro that does this for rust to our knowledge
* Full-Source Bootstrap from x86_64 assembly
* Take maximum advantage of the hard won wins by the Guix team
* Bootstrap from guile driver reproduced on multiple signed distros
### Minimalism
* Based on musl libc
* Basis of successful minimal distros like Alpine, Adelie, Talos, Void
* Implemented with about 1/4 the code of glibc
* Required to produce portable static binaries in some languages
* Less prone to buffer overflows
* Puts being light, fast, and correct before compatibility
* Package using tools you already have
* OCI build tool of choice (Docker, Buildah, Podman)
* Make (for dependency management)
* Prove hashes of bootstrap layer builds match before proceeding
* Keep package definitions lean and readable with simple CLI and no magic

View File

@ -1,34 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/m4:latest as m4
FROM imgrep/perl:latest as perl
FROM busybox as build
ENV SRC_SITE=https://ftp.gnu.org/gnu/autoconf
ENV SRC_VERSION=2.71
ENV SRC_HASH=f14c83cfebcc9427f2c3cea7258bd90df972d92eb26752da4ddad81c87a0faa4
RUN wget ${SRC_SITE}/autoconf-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} autoconf-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf autoconf-${SRC_VERSION}.tar.xz
WORKDIR autoconf-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
COPY --from=m4 . /
COPY --from=perl . /
ENV M4=/usr/bin/m4
RUN set -eux; \
./configure \
--prefix=/usr; \
make;
RUN make DESTDIR=/home/user/rootfs install
COPY --from=perl . /home/user/rootfs/
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/usr/bin/autoreconf"]
CMD ["--version"]

View File

@ -1,36 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/perl:latest as perl
FROM imgrep/autoconf:latest as autoconf
FROM imgrep/m4:latest as m4
FROM busybox as build
ENV SRC_SITE=https://ftp.gnu.org/gnu/automake
ENV SRC_VERSION=1.16.5
ENV SRC_HASH=f01d58cd6d9d77fbdca9eb4bbd5ead1988228fdb73d6f7a201f5f8d6b118b469
RUN wget ${SRC_SITE}/automake-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} automake-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf automake-${SRC_VERSION}.tar.xz
WORKDIR automake-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
COPY --from=perl . /
COPY --from=m4 . /
COPY --from=autoconf . /
RUN set -eux; \
./configure \
--prefix=/usr; \
make;
RUN make DESTDIR=/home/user/rootfs install
COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1
COPY --from=perl . /home/user/rootfs/
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/usr/bin/automake"]
CMD ["--version"]

View File

@ -1,36 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/m4:latest as m4
FROM imgrep/bash:latest as bash
FROM imgrep/sed:latest as sed
FROM busybox as build
ENV SRC_SITE=https://ftp.gnu.org/gnu/libtool
ENV SRC_VERSION=2.4.6
ENV SRC_HASH=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
RUN wget ${SRC_SITE}/libtool-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} libtool-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf libtool-${SRC_VERSION}.tar.xz
WORKDIR libtool-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
COPY --from=m4 . /
RUN set -eux; \
./configure \
--prefix=/usr; \
make;
RUN make DESTDIR=/home/user/rootfs install
COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1
COPY --from=bash . /home/user/rootfs
COPY --from=sed . /home/user/rootfs
RUN ln -s /usr/bin/bash /home/user/rootfs/bin/sh
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/usr/bin/libtool"]
CMD ["--version"]

View File

@ -1,41 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/autoconf:latest as autoconf
FROM imgrep/automake:latest as automake
FROM imgrep/libtool:latest as libtool
FROM busybox as build
ENV SRC_SITE=https://github.com/libunwind/libunwind/releases/download
ENV SRC_VERSION=1.7.2
ENV SRC_HASH=a18a6a24307443a8ace7a8acc2ce79fbbe6826cd0edf98d6326d0225d6a5d6e6
RUN wget ${SRC_SITE}/v${SRC_VERSION}/libunwind-${SRC_VERSION}.tar.gz
RUN echo "${SRC_HASH} libunwind-${SRC_VERSION}.tar.gz" | sha256sum -c
RUN tar -xf libunwind-${SRC_VERSION}.tar.gz
WORKDIR libunwind-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
COPY --from=autoconf . /
COPY --from=automake . /
COPY --from=libtool . /
#LDFLAGS="-lucontext" CFLAGS="-fno-stack-protector" \
RUN set -eux; \
./configure \
--build=x86_64-unknown-linux-musl \
--host=x86_64-unknown-linux-musl \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--localstatedir=/usr/share/man \
--enable-cxx-exceptions \
--disable-tests \
--infodir=/usr/share/info; \
make;
RUN make DESTDIR=/home/user/rootfs install
FROM scratch
COPY --from=build /home/user/rootfs /

View File

@ -1,47 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/autoconf:latest as autoconf
FROM imgrep/automake:latest as automake
FROM imgrep/libtool:latest as libtool
FROM imgrep/pkgconf:latest as pkgconf
FROM imgrep/python:latest as python
FROM imgrep/m4:latest as m4
FROM busybox as build
ENV SRC_SITE=https://gitlab.gnome.org/GNOME/libxml2/-/archive
ENV SRC_VERSION=2.12.1
ENV SRC_HASH=1090e62c5a1900429f63e4681263b96e7829876ccbc66cf2d9266cd589f67286
RUN wget ${SRC_SITE}/v${SRC_VERSION}/libxml2-v${SRC_VERSION}.tar.gz
RUN echo "${SRC_HASH} libxml2-v${SRC_VERSION}.tar.gz" | sha256sum -c
RUN tar -xf libxml2-v${SRC_VERSION}.tar.gz
WORKDIR libxml2-v${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
COPY --from=python . /
COPY --from=autoconf . /
COPY --from=automake . /
COPY --from=pkgconf . /
COPY --from=libtool . /
COPY --from=m4 . /
RUN ls -lah
RUN set -eux; \
sh autogen.sh; \
./configure \
--build=x86_64-unknown-linux-musl \
--host=x86_64-unknown-linux-musl \
--target=x86_64-unknown-linux-musl \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info; \
make;
RUN make DESTDIR=/home/user/rootfs install
RUN ls -Rlah /home/user/rootfs
FROM scratch
COPY --from=build /home/user/rootfs /

View File

@ -1,30 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM busybox as build
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
ENV SRC_SITE=https://ftp.gnu.org/gnu/m4
ENV SRC_VERSION=1.4.19
ENV SRC_HASH=63aede5c6d33b6d9b13511cd0be2cac046f2e70fd0a07aa9573a04a82783af96
RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} m4-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf m4-${SRC_VERSION}.tar.xz
WORKDIR m4-${SRC_VERSION}
RUN set -eux; \
./configure \
--prefix=/usr; \
make;
RUN make DESTDIR=/home/user/rootfs install
COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/usr/bin/m4"]
CMD ["--version"]

View File

@ -30,7 +30,7 @@ RUN set -eux; \
RUN set -eux; \
make DESTDIR=/home/user/rootfs install; \
mkdir -p /home/user/rootfs/usr/bin; \
printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-x86_64.so.1 --list "\$@"' \
printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/$LDSO --list "\$@"' \
> /home/user/rootfs/usr/bin/ldd; \
chmod 755 /home/user/rootfs/usr/bin/ldd; \
mv -f /home/user/rootfs/usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1; \

View File

@ -1,30 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM busybox as build
ENV SRC_SITE=https://distfiles.ariadne.space/pkgconf/
ENV SRC_VERSION=1.6.3
ENV SRC_HASH=61f0b31b0d5ea0e862b454a80c170f57bad47879c0c42bd8de89200ff62ea210
RUN wget ${SRC_SITE}/pkgconf-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} pkgconf-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf pkgconf-${SRC_VERSION}.tar.xz
WORKDIR pkgconf-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
RUN set -eux; \
./configure \
--prefix=/usr; \
make;
RUN make DESTDIR=/home/user/rootfs install
RUN ln -s pkgconf /home/user/rootfs/usr/bin/pkg-config
COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/usr/bin/pkgconf"]
CMD ["--version"]

View File

@ -1,30 +0,0 @@
FROM imgrep/busybox:latest as busybox
FROM imgrep/gcc:latest as gcc
FROM imgrep/binutils:latest as binutils
FROM imgrep/musl:latest as musl
FROM imgrep/make:latest as make
FROM imgrep/bash:latest as bash
FROM busybox as build
ENV SRC_SITE=https://ftp.gnu.org/gnu/sed
ENV SRC_VERSION=4.9
ENV SRC_HASH=6e226b732e1cd739464ad6862bd1a1aba42d7982922da7a53519631d24975181
RUN wget ${SRC_SITE}/sed-${SRC_VERSION}.tar.xz
RUN echo "${SRC_HASH} sed-${SRC_VERSION}.tar.xz" | sha256sum -c
RUN tar -xf sed-${SRC_VERSION}.tar.xz
WORKDIR sed-${SRC_VERSION}
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=make . /
COPY --from=musl . /
RUN set -eux; \
./configure \
--prefix=/; \
make;
RUN make DESTDIR=/home/user/rootfs install
COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1
FROM scratch
COPY --from=build /home/user/rootfs /
ENTRYPOINT ["/bin/sed"]
CMD ["--version"]