Skip to content

Tighten Dockerfile: pinning, certs, GPG hygiene#6

Open
soulgalore wants to merge 4 commits into
mainfrom
dockerfile-cleanup
Open

Tighten Dockerfile: pinning, certs, GPG hygiene#6
soulgalore wants to merge 4 commits into
mainfrom
dockerfile-cleanup

Conversation

@soulgalore
Copy link
Copy Markdown
Member

@soulgalore soulgalore commented May 18, 2026

The base image is pinned to a specific Ubuntu noble tag so that
builds are reproducible from day to day. The previous apt-get upgrade -y step undid that by pulling in whatever
happened to be
current in the Ubuntu archive at build time, so the pin only
controlled the starting point and not the result. Drop the upgrade
and let rebases of the base tag be the explicit signal that we want
to take in updated packages.

ca-certificates was grouped with the build-time tools and removed
by the final apt-get purge --auto-remove, leaving the resulting
image without a system CA bundle. Anything downstream that talks
HTTPS (the npm registry, sitespeed's own network probes) would
either have to reinstall it or fall back to Node's bundled certs.
Install ca-certificates separately so it survives the purge.

GPG was run against the default home, which writes keys and an
agent socket into /root/.gnupg and leaves them in the final
layer. Move GnuPG to a temporary GNUPGHOME, stop the agent, and
remove the directory once verification is done so no keyring
material ships in the image.

Finally, the original line continuation between PLATFORM= and
buildDeps= was missing an &&. It happened to work because
export accepts several name=value pairs, but the intent was a
chained command sequence — add the && so the structure matches
what's actually meant.

Co-authored-by: Claude Opus 4.7 (1M context) noreply@anthropic.com

soulgalore added 4 commits May 18, 2026 07:26
@soulgalore
Tighten Dockerfile: pinning, certs, GPG hygiene
c2e6652 
  The base image is pinned to a specific Ubuntu noble tag so that
  builds are reproducible from day to day. The previous apt-get upgrade -y step undid that by pulling in whatever
   happened to be
  current in the Ubuntu archive at build time, so the pin only
  controlled the starting point and not the result. Drop the upgrade
  and let rebases of the base tag be the explicit signal that we want
  to take in updated packages.

  ca-certificates was grouped with the build-time tools and removed
  by the final apt-get purge --auto-remove, leaving the resulting
  image without a system CA bundle. Anything downstream that talks
  HTTPS (the npm registry, sitespeed's own network probes) would
  either have to reinstall it or fall back to Node's bundled certs.
  Install ca-certificates separately so it survives the purge.

  GPG was run against the default home, which writes keys and an
  agent socket into /root/.gnupg and leaves them in the final
  layer. Move GnuPG to a temporary GNUPGHOME, stop the agent, and
  remove the directory once verification is done so no keyring
  material ships in the image.

  Finally, the original line continuation between PLATFORM= and
  buildDeps= was missing an &&. It happened to work because
  export accepts several name=value pairs, but the intent was a
  chained command sequence — add the && so the structure matches
  what's actually meant.

  Co-authored-by: Claude Opus 4.7 (1M context) noreply@anthropic.com
@soulgalore
Bump ubuntu and nodejs
07c10e6
@soulgalore
Add an extra build test
8d5ba45
@soulgalore
bump
ad1fd2d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@soulgalore