Updated Builder script

[moos3]

Updated the builder so that it doesn't relay on a pre-existing alpine image. This allows for people to
create Alpine linux when they can't use public images.

[ncopa]

I am also working on official upstream rootfs images with the v3.5 release

[ncopa]

I think we can simply use the http://dl-cdn.alpinelinux.org/alpine mirror

[moos3]

I pulling the mirror list from the official alpine-mirrors package. This way if we are only pulling for official mirrors, and not a dns value that might be hijacked on someones network. Otherwise your correct we could just use the cdn mirror and relay on dns doing the picking.

[ncopa]

Makes no difference. Any of the mirrors could be dns hijacked or the official mirror sysadmin could go rough. What protects you from any of this to happen is the signature verification using the apk keys which you verify with the embedded sha256 sum.

In other words, as long as you trust that the builder script itself has not been modified over the wire, then you can verify that apk is ok and apk will verify that the apk content is not modified, using the apk keys.

I am ok to keep the current approach if you have strong feeling for it. It is good to not hard-code the mirror in case we change it in future.

[moos3]

yeah it doesn't matter to me. The bootstrap script does a sha1 check on itself to make sure it hasn't been modified from outside sources :) we can swap that out for the cdn, at the top we pull in the list of mirrors from the cdn at the beginning of the process. I just found this was the best way for I work. Just figured others might be in the same boat.

[andyshinn]

Let's revisit this. Can you give a brief demo of using this and how it might affect our current pipeline? Then I can try it out locally.

From the looks of it, it appears to build a alpine:base first which is then used to build each of the images?

[moos3]

Correct it does build base then builds each version from inside that image.