crypto-bug-hunters · endersonmaia · Sep 13, 2024 · Sep 11, 2024 · Sep 12, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,48 @@
-# syntax=docker.io/docker/dockerfile:1.4
+# syntax=docker.io/docker/dockerfile:1
+
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG NOBLE_DATE=20240801
+ARG APT_UPDATE_SNAPSHOT=${NOBLE_DATE}T030400Z
+
+################################################################################
+# cross base stage
+FROM ubuntu:noble-${NOBLE_DATE} AS base-build-stage
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:noble-${NOBLE_DATE} AS base-target-stage
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
 
 ################################################################################
 # cross build stage
-FROM ubuntu:noble-20240801 as build-stage
+FROM base-build-stage AS build-stage
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
-apt update
 apt install -y --no-install-recommends \
-    build-essential=12.10ubuntu1 \
-    ca-certificates=20240203 \
-    g++-riscv64-linux-gnu=4:13.2.0-7ubuntu1 \
-    wget=1.21.4-1ubuntu4.1
+    build-essential \
+    ca-certificates \
+    g++-riscv64-linux-gnu \
+    wget
 EOF
 
 ARG GOVERSION=1.23.0
@@ -38,17 +68,16 @@
 
 ################################################################################
 # riscv64 build stage
-FROM --platform=linux/riscv64 ubuntu:noble-20240801 as riscv64-build-stage
+FROM base-target-stage AS riscv64-build-stage
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
-apt update
 apt install -y --no-install-recommends \
-    lua5.4=5.4.6-3build2 \
-    build-essential=12.10ubuntu1 \
-    ca-certificates=20240203 \
-    wget=1.21.4-1ubuntu4.1
+    lua5.4 \
+    build-essential \
+    ca-certificates \
+    wget
 EOF
 
 WORKDIR /opt/build
@@ -82,7 +111,7 @@
 
 ################################################################################
 # runtime stage: produces final image that will be executed
-FROM --platform=linux/riscv64 ubuntu:noble-20240801
+FROM base-target-stage
 
 LABEL io.cartesi.sdk_version=0.9.0
 LABEL io.cartesi.rollups.ram_size=128Mi
@@ -93,14 +122,13 @@
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -eu
-apt-get update
 apt-get install -y --no-install-recommends \
-    busybox-static=1:1.36.1-6ubuntu3.1 \
-    ca-certificates=20240203 \
-    curl=8.5.0-2ubuntu10.3 \
-    libasan6=11.4.0-9ubuntu1 \
-    libasan8=14-20240412-0ubuntu1 \
-    xz-utils=5.6.1+really5.4.5-1build0.1
+    busybox-static \
+    ca-certificates \
+    curl \
+    libasan6 \
+    libasan8 \
+    xz-utils
 curl -o ${MACHINE_EMULATOR_TOOLS_DEB} -fsSL https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/${MACHINE_EMULATOR_TOOLS_DEB}
 dpkg -i ${MACHINE_EMULATOR_TOOLS_DEB}
 rm ${MACHINE_EMULATOR_TOOLS_DEB}