From 349fb1ced29eba72048b7dfd36c0207c9f0eb376 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 26 Sep 2024 15:49:29 -0700
Subject: [PATCH] Update to 1.37.0, buildroot 2024.08

---
 latest-1/glibc/Dockerfile.builder  |  10 +-
 latest-1/musl/Dockerfile.builder   |  10 +-
 latest-1/uclibc/Dockerfile.builder |  10 +-
 latest/glibc/Dockerfile.builder    |   8 +-
 latest/musl/Dockerfile.builder     |   8 +-
 latest/nolibc/Dockerfile.builder   | 200 +++++++++++++++++++++++++++++
 latest/uclibc/Dockerfile.builder   |   8 +-
 versions.json                      |  30 ++---
 8 files changed, 239 insertions(+), 45 deletions(-)
 create mode 100644 latest/nolibc/Dockerfile.builder

diff --git a/latest-1/glibc/Dockerfile.builder b/latest-1/glibc/Dockerfile.builder
index e32c3d5..893fc84 100644
--- a/latest-1/glibc/Dockerfile.builder
+++ b/latest-1/glibc/Dockerfile.builder
@@ -24,9 +24,9 @@ RUN set -eux; \
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 26 December 2021
-ENV BUSYBOX_VERSION 1.35.0
-ENV BUSYBOX_SHA256 faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+# https://busybox.net: 19 May 2023
+ENV BUSYBOX_VERSION 1.36.1
+ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
@@ -76,8 +76,6 @@ RUN set -eux; \
 	\
 	unsetConfs=' \
 		CONFIG_FEATURE_SYNC_FANCY \
-# disable SHA hardware acceleration (temporarily), as it fails with SIGILL on some of GitHub's common CI systems; https://bugs.busybox.net/show_bug.cgi?id=15236
-		CONFIG_SHA256_HWACCEL CONFIG_SHA1_HWACCEL \
 	'; \
 	\
 	make defconfig; \
@@ -158,7 +156,7 @@ RUN set -eux; \
 
 # install a few extra files from buildroot (/etc/passwd, etc)
 RUN set -eux; \
-	buildrootVersion='2024.05.3'; \
+	buildrootVersion='2024.08'; \
 	for file in \
 		system/device_table.txt \
 		system/skeleton/etc/group \
diff --git a/latest-1/musl/Dockerfile.builder b/latest-1/musl/Dockerfile.builder
index 4a3fecb..4d48897 100644
--- a/latest-1/musl/Dockerfile.builder
+++ b/latest-1/musl/Dockerfile.builder
@@ -28,9 +28,9 @@ RUN set -eux; \
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 26 December 2021
-ENV BUSYBOX_VERSION 1.35.0
-ENV BUSYBOX_SHA256 faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+# https://busybox.net: 19 May 2023
+ENV BUSYBOX_VERSION 1.36.1
+ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
@@ -86,8 +86,6 @@ RUN set -eux; \
 		CONFIG_FEATURE_INETD_RPC \
 		CONFIG_FEATURE_UTMP \
 		CONFIG_FEATURE_WTMP \
-# disable SHA hardware acceleration (temporarily), as it fails with SIGILL on some of GitHub's common CI systems; https://bugs.busybox.net/show_bug.cgi?id=15236
-		CONFIG_SHA256_HWACCEL CONFIG_SHA1_HWACCEL \
 	'; \
 	\
 	make defconfig; \
@@ -141,7 +139,7 @@ RUN set -eux; \
 
 # install a few extra files from buildroot (/etc/passwd, etc)
 RUN set -eux; \
-	buildrootVersion='2024.05.3'; \
+	buildrootVersion='2024.08'; \
 	for file in \
 		system/device_table.txt \
 		system/skeleton/etc/group \
diff --git a/latest-1/uclibc/Dockerfile.builder b/latest-1/uclibc/Dockerfile.builder
index 09ed167..eeb692b 100644
--- a/latest-1/uclibc/Dockerfile.builder
+++ b/latest-1/uclibc/Dockerfile.builder
@@ -44,7 +44,7 @@ RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-key
 
 # https://buildroot.org/download.html
 # https://buildroot.org/downloads/?C=M;O=D
-ENV BUILDROOT_VERSION 2024.05.3
+ENV BUILDROOT_VERSION 2024.08
 
 RUN set -eux; \
 	tarball="buildroot-${BUILDROOT_VERSION}.tar.xz"; \
@@ -210,9 +210,9 @@ ENV PATH /usr/src/buildroot/output/host/usr/bin:$PATH
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 26 December 2021
-ENV BUSYBOX_VERSION 1.35.0
-ENV BUSYBOX_SHA256 faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+# https://busybox.net: 19 May 2023
+ENV BUSYBOX_VERSION 1.36.1
+ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
@@ -262,8 +262,6 @@ RUN set -eux; \
 	\
 	unsetConfs=' \
 		CONFIG_FEATURE_SYNC_FANCY \
-# disable SHA hardware acceleration (temporarily), as it fails with SIGILL on some of GitHub's common CI systems; https://bugs.busybox.net/show_bug.cgi?id=15236
-		CONFIG_SHA256_HWACCEL CONFIG_SHA1_HWACCEL \
 	'; \
 	\
 	make defconfig; \
diff --git a/latest/glibc/Dockerfile.builder b/latest/glibc/Dockerfile.builder
index d86416b..4352792 100644
--- a/latest/glibc/Dockerfile.builder
+++ b/latest/glibc/Dockerfile.builder
@@ -24,9 +24,9 @@ RUN set -eux; \
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 19 May 2023
-ENV BUSYBOX_VERSION 1.36.1
-ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
+# https://busybox.net: 27 September 2024
+ENV BUSYBOX_VERSION 1.37.0
+ENV BUSYBOX_SHA256 3311dff32e746499f4df0d5df04d7eb396382d7e108bb9250e7b519b837043a4
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
@@ -156,7 +156,7 @@ RUN set -eux; \
 
 # install a few extra files from buildroot (/etc/passwd, etc)
 RUN set -eux; \
-	buildrootVersion='2024.05.3'; \
+	buildrootVersion='2024.08'; \
 	for file in \
 		system/device_table.txt \
 		system/skeleton/etc/group \
diff --git a/latest/musl/Dockerfile.builder b/latest/musl/Dockerfile.builder
index 0c0d3ab..fe7f109 100644
--- a/latest/musl/Dockerfile.builder
+++ b/latest/musl/Dockerfile.builder
@@ -28,9 +28,9 @@ RUN set -eux; \
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 19 May 2023
-ENV BUSYBOX_VERSION 1.36.1
-ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
+# https://busybox.net: 27 September 2024
+ENV BUSYBOX_VERSION 1.37.0
+ENV BUSYBOX_SHA256 3311dff32e746499f4df0d5df04d7eb396382d7e108bb9250e7b519b837043a4
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
@@ -139,7 +139,7 @@ RUN set -eux; \
 
 # install a few extra files from buildroot (/etc/passwd, etc)
 RUN set -eux; \
-	buildrootVersion='2024.05.3'; \
+	buildrootVersion='2024.08'; \
 	for file in \
 		system/device_table.txt \
 		system/skeleton/etc/group \
diff --git a/latest/nolibc/Dockerfile.builder b/latest/nolibc/Dockerfile.builder
new file mode 100644
index 0000000..1fcebf1
--- /dev/null
+++ b/latest/nolibc/Dockerfile.builder
@@ -0,0 +1,200 @@
+FROM tianon/nolibc
+
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y \
+		bzip2 \
+		curl \
+		gcc \
+		gnupg \
+		make \
+		patch \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+# pub   1024D/ACC9965B 2006-12-12
+#       Key fingerprint = C9E9 416F 76E6 10DB D09D  040F 47B7 0C55 ACC9 965B
+# uid                  Denis Vlasenko <vda.linux@googlemail.com>
+# sub   1024g/2C766641 2006-12-12
+RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
+
+# https://busybox.net: 19 May 2023
+ENV BUSYBOX_VERSION 1.36.1
+ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
+
+RUN set -eux; \
+	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
+	curl -fL -o busybox.tar.bz2.sig "https://busybox.net/downloads/$tarball.sig"; \
+	curl -fL -o busybox.tar.bz2 "https://busybox.net/downloads/$tarball"; \
+	echo "$BUSYBOX_SHA256 *busybox.tar.bz2" | sha256sum -c -; \
+	gpg --batch --verify busybox.tar.bz2.sig busybox.tar.bz2; \
+# Alpine... 😅
+	mkdir -p /usr/src; \
+	tar -xf busybox.tar.bz2 -C /usr/src "busybox-$BUSYBOX_VERSION"; \
+	mv "/usr/src/busybox-$BUSYBOX_VERSION" /usr/src/busybox; \
+	rm busybox.tar.bz2*; \
+	\
+# save the tarball's filesystem timestamp persistently (in case building busybox modifies it) so we can use it for reproducible rootfs later
+	SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/src/busybox | tee /usr/src/busybox.SOURCE_DATE_EPOCH)"; \
+	date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
+	touch -t "$date" /usr/src/busybox.SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822
+
+WORKDIR /usr/src/busybox
+
+# https://github.com/docker-library/busybox/issues/198
+# https://bugs.busybox.net/show_bug.cgi?id=15931
+# https://bugs.debian.org/1071648
+RUN set -eux; \
+	. /etc/os-release; \
+	if [ "${ID:-}" = 'debian' ] && [ "${VERSION_CODENAME:-}" != 'bookworm' ]; then \
+		curl -fL -o busybox-no-cbq.patch 'https://bugs.busybox.net/attachment.cgi?id=9751'; \
+		echo '6671a12c48dbcefb653fc8403d1f103a1e2eba4a49b1ee9a9c27da8aa2db80d4 *busybox-no-cbq.patch' | sha256sum -c -; \
+		patch -p1 --input=busybox-no-cbq.patch; \
+		rm busybox-no-cbq.patch; \
+	fi
+
+RUN set -eux; \
+	\
+# build date/time gets embedded in the BusyBox binary -- SOURCE_DATE_EPOCH should override that
+	SOURCE_DATE_EPOCH="$(cat /usr/src/busybox.SOURCE_DATE_EPOCH)"; \
+	export SOURCE_DATE_EPOCH; \
+# (has to be set in the config stage for making sure "AUTOCONF_TIMESTAMP" is embedded correctly)
+	\
+	setConfs=' \
+		CONFIG_AR=y \
+		CONFIG_FEATURE_AR_CREATE=y \
+		CONFIG_FEATURE_AR_LONG_FILENAMES=y \
+# CONFIG_LAST_SUPPORTED_WCHAR: see https://github.com/docker-library/busybox/issues/13 (UTF-8 input)
+		CONFIG_LAST_SUPPORTED_WCHAR=0 \
+		CONFIG_STATIC=y \
+	'; \
+	\
+	unsetConfs=' \
+		CONFIG_FEATURE_SYNC_FANCY \
+	'; \
+	\
+	make defconfig; \
+	\
+	for conf in $unsetConfs; do \
+		sed -i \
+			-e "s!^$conf=.*\$!# $conf is not set!" \
+			.config; \
+	done; \
+	\
+	for confV in $setConfs; do \
+		conf="${confV%=*}"; \
+		sed -i \
+			-e "s!^$conf=.*\$!$confV!" \
+			-e "s!^# $conf is not set\$!$confV!" \
+			.config; \
+		if ! grep -q "^$confV\$" .config; then \
+			echo "$confV" >> .config; \
+		fi; \
+	done; \
+	\
+	make oldconfig; \
+	\
+# trust, but verify
+	for conf in $unsetConfs; do \
+		! grep -q "^$conf=" .config; \
+	done; \
+	for confV in $setConfs; do \
+		grep -q "^$confV\$" .config; \
+	done
+
+RUN set -eux; \
+	nproc="$(nproc)"; \
+	make -j "$nproc" busybox; \
+	./busybox --help; \
+	mkdir -p rootfs/bin; \
+	ln -vL busybox rootfs/bin/; \
+	\
+# copy simplified getconf port from Alpine
+# https://github.com/alpinelinux/aports/commits/HEAD/main/musl/getconf.c
+	curl -fsSL \
+		"https://github.com/alpinelinux/aports/raw/48b16204aeeda5bc1f87e49c6b8e23d9abb07c73/main/musl/getconf.c" \
+		-o /usr/src/getconf.c \
+	; \
+	echo 'd87d0cbb3690ae2c5d8cc218349fd8278b93855dd625deaf7ae50e320aad247c */usr/src/getconf.c' | sha256sum -c -; \
+	gcc -o rootfs/bin/getconf $CFLAGS /usr/src/getconf.c; \
+	chroot rootfs /bin/getconf _NPROCESSORS_ONLN; \
+	\
+# TODO make this create symlinks instead so the output tarball is cleaner (but "-s" outputs absolute symlinks which is kind of annoying to deal with -- we should also consider letting busybox determine the "install paths"; see "busybox --list-full")
+	chroot rootfs /bin/busybox --install /bin
+
+# install a few extra files from buildroot (/etc/passwd, etc)
+RUN set -eux; \
+	buildrootVersion='2024.02.3'; \
+	for file in \
+		system/device_table.txt \
+		system/skeleton/etc/group \
+		system/skeleton/etc/passwd \
+		system/skeleton/etc/shadow \
+	; do \
+		dir="$(dirname "$file")"; \
+		mkdir -p "../buildroot/$dir"; \
+		curl -fL -o "../buildroot/$file" "https://git.busybox.net/buildroot/plain/$file?id=$buildrootVersion"; \
+		[ -s "../buildroot/$file" ]; \
+	done; \
+	\
+	mkdir -p rootfs/etc; \
+	ln -vL \
+		../buildroot/system/skeleton/etc/group \
+		../buildroot/system/skeleton/etc/passwd \
+		../buildroot/system/skeleton/etc/shadow \
+		rootfs/etc/ \
+	; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
+# set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
+	awk ' \
+		!/^#/ { \
+			if ($2 != "d" && $2 != "f") { \
+				printf "error: unknown type \"%s\" encountered in line %d: %s\n", $2, NR, $0 > "/dev/stderr"; \
+				exit 1; \
+			} \
+			sub(/^\/?/, "rootfs/", $1); \
+			if ($2 == "d") { \
+				printf "mkdir -p %s\n", $1; \
+			} \
+			printf "chmod %s %s\n", $3, $1; \
+		} \
+	' ../buildroot/system/device_table.txt | sh -eux
+
+# create missing home directories and ensure /usr/bin/env exists
+RUN set -eux; \
+	cd rootfs; \
+	for userHome in $(awk -F ':' '{ print $3 ":" $4 "=" $6 }' etc/passwd); do \
+		user="${userHome%%=*}"; \
+		home="${userHome#*=}"; \
+		home="./${home#/}"; \
+		if [ ! -d "$home" ]; then \
+			mkdir -p "$home"; \
+			chown "$user" "$home"; \
+			chmod 755 "$home"; \
+		fi; \
+	done; \
+	if [ ! -s usr/bin/env ] && [ -s bin/env ]; then \
+		mkdir -p usr/bin; \
+		ln -s ../../bin/env usr/bin/; \
+	fi
+
+# test and make sure it works
+RUN chroot rootfs /usr/bin/env sh -xec 'true'
+
+# ensure correct timezone (UTC)
+RUN set -eux; \
+	ln -vL /usr/share/zoneinfo/UTC rootfs/etc/localtime; \
+	[ "$(chroot rootfs date +%Z)" = 'UTC' ]
+
+# test and make sure DNS works too
+RUN set -eux; \
+	cp -L /etc/resolv.conf rootfs/etc/; \
+	chroot rootfs /bin/sh -xec 'nslookup google.com'; \
+	rm rootfs/etc/resolv.conf
+
+# vim:set ft=dockerfile:
diff --git a/latest/uclibc/Dockerfile.builder b/latest/uclibc/Dockerfile.builder
index 6d96d6c..dbacbbd 100644
--- a/latest/uclibc/Dockerfile.builder
+++ b/latest/uclibc/Dockerfile.builder
@@ -44,7 +44,7 @@ RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-key
 
 # https://buildroot.org/download.html
 # https://buildroot.org/downloads/?C=M;O=D
-ENV BUILDROOT_VERSION 2024.05.3
+ENV BUILDROOT_VERSION 2024.08
 
 RUN set -eux; \
 	tarball="buildroot-${BUILDROOT_VERSION}.tar.xz"; \
@@ -210,9 +210,9 @@ ENV PATH /usr/src/buildroot/output/host/usr/bin:$PATH
 # sub   1024g/2C766641 2006-12-12
 RUN mkdir -p ~/.gnupg && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
 
-# https://busybox.net: 19 May 2023
-ENV BUSYBOX_VERSION 1.36.1
-ENV BUSYBOX_SHA256 b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
+# https://busybox.net: 27 September 2024
+ENV BUSYBOX_VERSION 1.37.0
+ENV BUSYBOX_SHA256 3311dff32e746499f4df0d5df04d7eb396382d7e108bb9250e7b519b837043a4
 
 RUN set -eux; \
 	tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
diff --git a/versions.json b/versions.json
index b816dd4..fd094e2 100644
--- a/versions.json
+++ b/versions.json
@@ -1,7 +1,21 @@
 {
   "latest": {
     "buildroot": {
-      "version": "2024.05.3"
+      "version": "2024.08"
+    },
+    "date": "27 September 2024",
+    "sha256": "3311dff32e746499f4df0d5df04d7eb396382d7e108bb9250e7b519b837043a4",
+    "stability": "unstable",
+    "variants": [
+      "glibc",
+      "uclibc",
+      "musl"
+    ],
+    "version": "1.37.0"
+  },
+  "latest-1": {
+    "buildroot": {
+      "version": "2024.08"
     },
     "date": "19 May 2023",
     "sha256": "b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314",
@@ -12,19 +26,5 @@
       "musl"
     ],
     "version": "1.36.1"
-  },
-  "latest-1": {
-    "buildroot": {
-      "version": "2024.05.3"
-    },
-    "date": "26 December 2021",
-    "sha256": "faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694",
-    "stability": "unstable",
-    "variants": [
-      "glibc",
-      "uclibc",
-      "musl"
-    ],
-    "version": "1.35.0"
   }
 }