Skip to content

Unpin apt/apk package versions to fix periodic build failures#188

Merged
labkey-willm merged 1 commit into
developfrom
fb_unpin_apt_apk_package_versions
Jul 1, 2026
Merged

Unpin apt/apk package versions to fix periodic build failures#188
labkey-willm merged 1 commit into
developfrom
fb_unpin_apt_apk_package_versions

Conversation

@labkey-willm

Copy link
Copy Markdown
Contributor

Problem

The nightly builds (e.g. LimsStarterContainerNightly) periodically fail because the Dockerfile pins exact OS package versions like curl=8.5.0-2ubuntu10.9. Ubuntu's noble archive (and Alpine's) keeps only the latest build of each package — when a security update bumps a package, the old exact version is deleted from the repo, so apt-get install curl=8.5.0-2ubuntu10.9 fails with a one-line E: Version '…' was not found buried deep in the build log.

Why removing the pins is the right fix

  • The pins weren't doing anything. The RUN runs apt-get -yq upgrade / apk upgrade immediately after the pinned installs, which bump those same packages to latest anyway. So the running image was already on latest-patched versions, not the pinned ones — the pins provided no reproducibility.
  • No supply-chain loss. apt/apk's signed repo metadata is what verifies packages, not the version string. Version pinning ≠ a hash-level supply-chain control.
  • CVE posture is unchanged/better. apt-get upgrade (kept) is the actual CVE-patching mechanism for the whole base-image package set — important for the xeol/dockle scans.
  • Lint stays clean. hadolint DL3008/DL3018 (require-pinning) were already in the ignore directive; they now correctly suppress the unpinned-version warnings. An intent comment was added so nobody re-pins later.

Removing the pins also eliminates the misleading buried "Version not found" error entirely.

Changes

Dockerfile only — stripped the =<version> suffix from the apt (curl, gettext-base, unzip, wget + DEBUG-only set) and apk (gettext, unzip, curl, tree) packages. postgresql-client-16 keeps its name (the -16 is the Postgres major, not a pin). Kept both upgrade steps.

Verification

  • hadolint — clean
  • LABKEY_DISTRIBUTION=lims_starter make build (noble) — ✅
  • DEBUG=1 LABKEY_DISTRIBUTION=community make build — ✅ (extra apt pkgs)
  • FROM_TAG=25-jre-alpine make build — ✅ (apk path)
  • make test (smoke) — ✅ smoke test succeeded (LabKey booted, curl healthcheck OK)

🤖 Generated with Claude Code

Ubuntu/Alpine archives keep only the latest build of each package, so
exact pins like curl=8.5.0-2ubuntu10.9 get rotated out on each security
update and break the build. The `apt-get upgrade`/`apk upgrade` steps
already pull latest-patched versions, so the pins provided no
reproducibility or supply-chain benefit (signed repo metadata is the
real control) -- they only caused the failures. Removing them also
eliminates the misleading buried "Version not found" error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@labkey-willm labkey-willm merged commit a51237e into develop Jul 1, 2026
9 checks passed
@labkey-willm labkey-willm deleted the fb_unpin_apt_apk_package_versions branch July 1, 2026 21:10
labkey-willm added a commit that referenced this pull request Jul 2, 2026
…189)

Ubuntu/Alpine archives keep only the latest build of each package, so
exact pins like curl=8.5.0-2ubuntu10.9 get rotated out on each security
update and break the build. The `apt-get upgrade`/`apk upgrade` steps
already pull latest-patched versions, so the pins provided no
reproducibility or supply-chain benefit (signed repo metadata is the
real control) -- they only caused the failures. Removing them also
eliminates the misleading buried "Version not found" error.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants