New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Dockerfile build image #5731

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
6 participants
@spk

spk commented Sep 29, 2016

First time contributor checklist

Contributor checklist

  • I am following the Code Style Guidelines
  • I have tested my contribution on these devices:
    • Docker version 1.12.1, build 23cf638
  • My contribution is fully baked and ready to be merged as is
  • I ensure that all the open issues my contribution fixes are mentioned in the commit message of my first commit using the Fixes #1234 syntax
  • I have made the choice whether I want the BitHub reward or not by omitting or adding the word FREEBIE in the commit message of my first commit

Description

  • Use official java:openjdk-8-jdk instead of ubuntu
  • Check Android SDK download with sha256
  • Other minor fixes
Dockerfile Outdated
&& apt-get -qqy --no-install-recommends install \
software-properties-common \
libc6:i386 libncurses5:i386 libstdc++6:i386 \
lib32z1 wget git unzip \

This comment has been minimized.

@moxie0

moxie0 Oct 3, 2016

Member

Without pinning the packages, these are not guaranteed to be the same every time

This comment has been minimized.

@spk

spk Oct 4, 2016

If the version is updated/removed the the build will fail, is there a reason for that @moxie0 ? Why not thrusting last version from Debian repository ?

This comment has been minimized.

@2-4601

2-4601 Oct 4, 2016

Contributor

The primary goal for the docker image is reproducible builds. See: https://whispersystems.org/blog/reproducible-android/

This comment has been minimized.

@moxie0

moxie0 Oct 4, 2016

Member

My understanding is that debian maintains a package archive of every package they've ever published, right?

This comment has been minimized.

@spk

spk Oct 4, 2016

Yes they do on http://snapshot.debian.org/ but its just in case of the package is removed and you really need the package version.
If a package have a security issue the version is removed, and so we need to update the Dockerfile every time.

This comment has been minimized.

@spk

spk Oct 4, 2016

@2-4601 that's what I've tried to do but it was failing

This comment has been minimized.

@2-4601

2-4601 Oct 4, 2016

Contributor

Yeah, some of those packages have become unavailable if you try to build it yourself. You can still use the pre-built image from the Docker hub though. See similar case.

I guess this dockerfile does need some maintenance for the people who want to build it themselves.

This comment has been minimized.

@spk

spk Oct 4, 2016

I don't trust pre-build image when I cannot check the Dockerfile and when the image is not an automatic build.
That's why I wanted to build it myself.
Anyway if its a requirement for you to pin the versions; I will do it

This comment has been minimized.

@spk

spk Oct 4, 2016

Added in 6e1f6a4
Pinning only the upstream version and not the Debian version, let me know if its fine for you ?

This comment has been minimized.

@moxie0

moxie0 Oct 4, 2016

Member

For this to be reproducible, the binaries need to be exactly the same. If it's not true that debian keeps an archive of every version of every package they've ever distributed, then we'll have to figure something else out.

@spk spk force-pushed the spk:fix-dockerfile branch from 6e1f6a4 to 68351a0 Nov 22, 2016

@moxie0

This comment has been minimized.

Member

moxie0 commented Nov 28, 2016

looks like this still isn't pinning the debian version?

@spk spk force-pushed the spk:fix-dockerfile branch from 68351a0 to c1e3bff Nov 30, 2016

spk added a commit to spk/Signal-Android that referenced this pull request Nov 30, 2016

@spk

This comment has been minimized.

spk commented Nov 30, 2016

@moxie0 its done on c1e3bff
I think it will brake soon but there is other improvements like checking sha256sum that would be nice to merge (#6121)

@spk spk force-pushed the spk:fix-dockerfile branch from c1e3bff to 22a4adc Dec 19, 2016

spk added a commit to spk/Signal-Android that referenced this pull request Dec 19, 2016

@spk spk force-pushed the spk:fix-dockerfile branch from 22a4adc to caa9e52 Jan 30, 2017

spk added a commit to spk/Signal-Android that referenced this pull request Jan 30, 2017

@spk

This comment has been minimized.

spk commented Jan 30, 2017

Rebased, is there other issues to address ?

@xmikos

This comment has been minimized.

xmikos commented Apr 5, 2017

I have just tried this modified Dockerfile, but build still fails:

E: Version '2.19-18+deb8u6' for 'libc6:i386' was not found
@spk

This comment has been minimized.

spk commented Apr 6, 2017

I've updated the Debian package version @xmikos
For me it is not useful to pin the Debian version, because Debian version is about debian/ files changes so not related with the binary; but change was asked by @moxie0 in #5731 (comment)

@xmikos

This comment has been minimized.

xmikos commented Apr 10, 2017

@spk Build is now working. But looking at Dockerfile, you are using java:openjdk-8-jdk as base image. But Docker java repository is deprecated:

DEPRECATED
This image is officially deprecated in favor of the openjdk image, and will receive no 
further updates after 2016-12-31 (Dec 31, 2016). Please adjust your usage accordingly.

Instead of it, Docker openjdk repository should be used.

@xmikos

This comment has been minimized.

xmikos commented Apr 10, 2017

I have found several other issues:

  1. too old ANDROID_BUILD_TOOLS_VERSION (Dockerfile in official Signal-Android repository specifies 25.0.0 and Signal build fails with old version specified in your pull request)

  2. final APK (built with ./gradlew clean assemblePlayRelease) is not reproducible. It differs from Signal 4.2.4 downloaded from Google Play (looking at disassembled classes.dex file, there are small differences with line numbers, etc.)

  3. there is no NDK specified in Dockerfile so you can't rebuild native shared libraries with ndk-build. Using prebuilt native shared libraries defeats whole purpose of reproducible builds (there can be hidden native malicious code)

@spk spk force-pushed the spk:fix-dockerfile branch from 643ad94 to 467e871 Apr 10, 2017

spk added a commit to spk/Signal-Android that referenced this pull request Apr 10, 2017

@spk

This comment has been minimized.

spk commented Apr 10, 2017

Thanks @xmikos I did not notice the deprecation on java image
Updated on 467e871
For the ANDROID_BUILD_TOOLS_VERSION I've just rebased the branch
For the others point I cannot help

@ale5000-git

This comment has been minimized.

ale5000-git commented May 22, 2017

Any update about this?

@PanderMusubi

This comment has been minimized.

PanderMusubi commented Jul 4, 2017

Hope this will get reviewed again or, even better, merged soon.

Fix Dockerfile build image
* Use official java:openjdk-8-jdk instead of ubuntu
* Check Android SDK download with sha256
* Remove unzip temp failing

```
unzip:  cannot find or open /usr/local/android-sdk-linux/temp/*.zip,
/usr/local/android-sdk-linux/temp/*.zip.zip or
/usr/local/android-sdk-linux/temp/*.zip.ZIP.
```

// FREEBIE

@spk spk force-pushed the spk:fix-dockerfile branch from 467e871 to 7dd9706 Mar 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment