Merge branch 'master' into trishank_kuppusamy/curl-ssl

Author: trishankatdatadog

docker/build_scripts/build.sh

@@ -9,23 +9,33 @@ CPYTHON_VERSIONS="2.6.9 2.7.13 3.3.6 3.4.6 3.5.3 3.6.0"
 
 # openssl version to build, with expected sha256 hash of .tar.gz
 # archive
-OPENSSL_ROOT=openssl-1.0.2m
-# Hash from https://www.openssl.org/source/openssl-1.0.2?.tar.gz.sha256
-OPENSSL_HASH=8c6ff15ec6b319b50788f42c7abc2890c08ba5a1cdcd3810eb9092deada37b0f
+OPENSSL_ROOT=openssl-1.0.2n
+# Hash from https://www.openssl.org/source/openssl-1.0.2n.tar.gz.sha256
+# Matches hash at https://github.com/Homebrew/homebrew-core/blob/99b8ea3594d1f1f78b0fff1fd8ca7d782aa07e13/Formula/openssl.rb#L11
+OPENSSL_HASH=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe
 EPEL_RPM_HASH=0dcc89f9bf67a2a515bad64569b7a9615edc5e018f676a578d5fd0f17d3c81d4
 DEVTOOLS_HASH=a8ebeb4bed624700f727179e6ef771dafe47651131a00a78b342251415646acc
-PATCHELF_VERSION=6bfcafbba8d89e44f9ac9582493b4f27d9d8c369
+# Update to slightly newer, verified Git commit:
+# https://github.com/NixOS/patchelf/commit/2a9cefd7d637d160d12dc7946393778fa8abbc58
+PATCHELF_VERSION=2a9cefd7d637d160d12dc7946393778fa8abbc58
+PATCHELF_HASH=12da4727f09be42ae0b54878e1b8e86d85cb7a5b595731cdc1a0a170c4873c6d
 CURL_ROOT=curl-7.57.0
 # https://github.com/Homebrew/homebrew-core/blob/e3a8622111ecefe444194cade5cca3c69165e26c/Formula/curl.rb#L6
 CURL_HASH=c92fe31a348eae079121b73884065e600c533493eb50f1f6cee9c48a3f454826
 AUTOCONF_ROOT=autoconf-2.69
 AUTOCONF_HASH=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969
 AUTOMAKE_ROOT=automake-1.15
 AUTOMAKE_HASH=7946e945a96e28152ba5a6beb0625ca715c6e32ac55f2e353ef54def0c8ed924
+LIBTOOL_ROOT=libtool-2.4.6
+LIBTOOL_HASH=e3bd4d5d3d025a36c21dd6af7ea818a2afcd4dfc1ea5a17b39d7854bcd0c06e3
+SQLITE_AUTOCONF_VERSION=sqlite-autoconf-3210000
+# Homebrew saw the same hash: https://github.com/Homebrew/homebrew-core/blob/e3a8622111ecefe444194cade5cca3c69165e26c/Formula/sqlite.rb#L6
+SQLITE_AUTOCONF_HASH=d7dd516775005ad87a57f428b6f86afd206cb341722927f104d3f0cf65fbbbe3
 
 # Dependencies for compiling Python that we want to remove from
 # the final image after compiling Python
-PYTHON_COMPILE_DEPS="zlib-devel bzip2-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel"
+# GPG installed to verify signatures on Python source tarballs.
+PYTHON_COMPILE_DEPS="zlib-devel bzip2-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel gpg"
 
 # Libraries that are allowed as part of the manylinux1 profile
 MANYLINUX1_DEPS="glibc-devel libstdc++-devel glib2-devel libX11-devel libXext-devel libXrender-devel  mesa-libGL-devel libICE-devel libSM-devel ncurses-devel"
@@ -55,6 +65,7 @@ yum -y update
 
 # EPEL support
 yum -y install wget curl
+# https://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
 cp $MY_DIR/epel-release-5-4.noarch.rpm .
 check_sha256sum epel-release-5-4.noarch.rpm $EPEL_RPM_HASH
 
@@ -81,14 +92,19 @@ autoconf --version
 build_automake $AUTOMAKE_ROOT $AUTOMAKE_HASH
 automake --version
 
+# Install newest libtool
+build_libtool $LIBTOOL_ROOT $LIBTOOL_HASH
+libtool --version
+
 # Install a more recent SQLite3
-curl -fsSLO https://sqlite.org/2017/sqlite-autoconf-3160200.tar.gz
-tar xfz sqlite-autoconf-3160200.tar.gz
-cd sqlite-autoconf-3160200
+curl -fsSLO https://sqlite.org/2017/$SQLITE_AUTOCONF_VERSION.tar.gz
+check_sha256sum $SQLITE_AUTOCONF_VERSION.tar.gz $SQLITE_AUTOCONF_HASH
+tar xfz $SQLITE_AUTOCONF_VERSION.tar.gz
+cd $SQLITE_AUTOCONF_VERSION
 ./configure
 make install
 cd ..
-rm -rf sqlite-autoconf-3160200*
+rm -rf $SQLITE_AUTOCONF_VERSION*
 
 # Compile the latest Python releases.
 # (In order to have a proper SSL module, Python is compiled
@@ -123,6 +139,7 @@ rm -rf /usr/local/ssl
 
 # Install patchelf (latest with unreleased bug fixes)
 curl -fsSL -o patchelf.tar.gz https://github.com/NixOS/patchelf/archive/$PATCHELF_VERSION.tar.gz
+check_sha256sum patchelf.tar.gz $PATCHELF_HASH
 tar -xzf patchelf.tar.gz
 (cd patchelf-$PATCHELF_VERSION && ./bootstrap.sh && ./configure && make && make install)
 rm -rf patchelf.tar.gz patchelf-$PATCHELF_VERSION

docker/build_scripts/build_utils.sh

@@ -13,6 +13,7 @@ GET_PIP_URL=https://bootstrap.pypa.io/get-pip.py
 
 AUTOCONF_DOWNLOAD_URL=http://ftp.gnu.org/gnu/autoconf
 AUTOMAKE_DOWNLOAD_URL=http://ftp.gnu.org/gnu/automake
+LIBTOOL_DOWNLOAD_URL=http://ftp.gnu.org/gnu/libtool
 
 
 function check_var {
@@ -75,14 +76,17 @@ function build_cpython {
     local py_ver=$1
     check_var $py_ver
     check_var $PYTHON_DOWNLOAD_URL
-    wget -q $PYTHON_DOWNLOAD_URL/$py_ver/Python-$py_ver.tgz
+    curl -fsSLO $PYTHON_DOWNLOAD_URL/$py_ver/Python-$py_ver.tgz
+    curl -fsSLO $PYTHON_DOWNLOAD_URL/$py_ver/Python-$py_ver.tgz.asc
+    gpg --verify Python-$py_ver.tgz.asc
     if [ $(lex_pyver $py_ver) -lt $(lex_pyver 3.3) ]; then
         do_cpython_build $py_ver ucs2
         do_cpython_build $py_ver ucs4
     else
         do_cpython_build $py_ver none
     fi
     rm -f Python-$py_ver.tgz
+    rm -f Python-$py_ver.tgz.asc
 }
 
 
@@ -92,9 +96,14 @@ function build_cpythons {
     # versions used by the get-pip server. Keep trying though, because we'll
     # want to go back using $GET_PIP_URL when we upgrade to a newer CentOS...
     curl -sSLO $GET_PIP_URL || cp ${MY_DIR}/get-pip.py .
+    # Import public keys used to verify downloaded Python source tarballs.
+    # https://www.python.org/static/files/pubkeys.txt
+    gpg --import ${MY_DIR}/cpython-pubkeys.txt
     for py_ver in $@; do
         build_cpython $py_ver
     done
+    # Remove GPG hidden directory.
+    rm -rf /root/.gnupg/
     rm -f get-pip.py
 }
 
@@ -173,6 +182,7 @@ function build_autoconf {
     rm -rf ${autoconf_fname} ${autoconf_fname}.tar.gz
 }
 
+
 function build_automake {
     local automake_fname=$1
     check_var ${automake_fname}
@@ -185,3 +195,17 @@ function build_automake {
     (cd ${automake_fname} && do_standard_install)
     rm -rf ${automake_fname} ${automake_fname}.tar.gz
 }
+
+
+function build_libtool {
+    local libtool_fname=$1
+    check_var ${libtool_fname}
+    local libtool_sha256=$2
+    check_var ${libtool_sha256}
+    check_var ${LIBTOOL_DOWNLOAD_URL}
+    curl -sSLO ${LIBTOOL_DOWNLOAD_URL}/${libtool_fname}.tar.gz
+    check_sha256sum ${libtool_fname}.tar.gz ${libtool_sha256}
+    tar -zxf ${libtool_fname}.tar.gz
+    (cd ${libtool_fname} && do_standard_install)
+    rm -rf ${libtool_fname} ${libtool_fname}.tar.gz
+}