build: fix repro builds where host userid != 1000

- repro builds to use fixed uid=1000 inside the container - in case the file permissions leak into the binaries, they are still reproducible - chown 1000:1000 fresh_clone - repro builds to create fresh_clone dir outside git clone - otherwise the local dev build would still interact with the fresh_clone dir - due to e.g. recursive "find -exec touch", - and even the "docker build" cmd itself would try to stat/read it - see docker/for-linux#380 - and "rm -rf fresh_clone" needs sudo if the host uid is not 1000 - this way the local dev build does not need sudo to recap: - local dev builds use the host userid inside the container, directly operate on the project dir - does not need sudo - repro builds create a fresh git clone, chown it to 1000, and use userid=1000 inside the container - if the host userid is 1000, does not need sudo - otherwise, needs sudo closes spesmilo#8261
SomberNight · Mar 20, 2023 · b49a37b · b49a37b
1 parent 6e472ef
commit b49a37b
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 27 deletions.
diff --git a/.gitignore b/.gitignore
@@ -34,14 +34,10 @@ contrib/build-wine/build/
 contrib/build-wine/.cache/
 contrib/build-wine/dist/
 contrib/build-wine/signed/
-contrib/build-wine/fresh_clone/
-contrib/build-linux/sdist/fresh_clone/
 contrib/build-linux/appimage/build/
 contrib/build-linux/appimage/.cache/
-contrib/build-linux/appimage/fresh_clone/
 contrib/osx/.cache/
 contrib/osx/build-venv/
-contrib/android/fresh_clone
 contrib/android/android_debug.keystore
 contrib/secp256k1/
 contrib/zbar/

diff --git a/contrib/android/build.sh b/contrib/android/build.sh
@@ -52,11 +52,11 @@ docker build \
 # maybe do fresh clone
 if [ ! -z "$ELECBUILD_COMMIT" ] ; then
     info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout."
-    FRESH_CLONE="$CONTRIB_ANDROID/fresh_clone/electrum" && \
-        rm -rf "$FRESH_CLONE" && \
-        umask 0022 && \
-        git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \
-        cd "$FRESH_CLONE"
+    FRESH_CLONE="/tmp/electrum_build/android/fresh_clone/electrum"
+    rm -rf "$FRESH_CLONE" 2>/dev/null || info "we need sudo to rm prev FRESH_CLONE." && sudo rm -rf "$FRESH_CLONE"
+    umask 0022
+    git clone "$PROJECT_ROOT" "$FRESH_CLONE"
+    cd "$FRESH_CLONE"
     git checkout "$ELECBUILD_COMMIT"
     PROJECT_ROOT_OR_FRESHCLONE_ROOT="$FRESH_CLONE"
 else
@@ -72,6 +72,13 @@ fi
 
 info "building binary..."
 mkdir --parents "$PROJECT_ROOT_OR_FRESHCLONE_ROOT"/.buildozer/.gradle
+# check uid and maybe chown. see #8261
+if [ ! -z "$ELECBUILD_COMMIT" ] ; then  # fresh clone (reproducible build)
+    if [ $(id -u) != "1000" ] || [ $(id -g) != "1000" ] ; then
+        info "need to chown -R FRESH_CLONE dir. prompting for sudo."
+        sudo chown -R 1000:1000 "$FRESH_CLONE"
+    fi
+fi
 docker run -it --rm \
     --name electrum-android-builder-cont \
     -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/home/user/wspace/electrum \

diff --git a/contrib/build-linux/appimage/.dockerignore b/contrib/build-linux/appimage/.dockerignore
@@ -1,3 +1,2 @@
 build/
 .cache/
-fresh_clone/
diff --git a/contrib/build-linux/appimage/build.sh b/contrib/build-linux/appimage/build.sh
@@ -35,18 +35,25 @@ docker build \
 # maybe do fresh clone
 if [ ! -z "$ELECBUILD_COMMIT" ] ; then
     info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout."
-    FRESH_CLONE="$CONTRIB_APPIMAGE/fresh_clone/electrum" && \
-        rm -rf "$FRESH_CLONE" && \
-        umask 0022 && \
-        git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \
-        cd "$FRESH_CLONE"
+    FRESH_CLONE="/tmp/electrum_build/appimage/fresh_clone/electrum"
+    rm -rf "$FRESH_CLONE" 2>/dev/null || info "we need sudo to rm prev FRESH_CLONE." && sudo rm -rf "$FRESH_CLONE"
+    umask 0022
+    git clone "$PROJECT_ROOT" "$FRESH_CLONE"
+    cd "$FRESH_CLONE"
     git checkout "$ELECBUILD_COMMIT"
     PROJECT_ROOT_OR_FRESHCLONE_ROOT="$FRESH_CLONE"
 else
     info "not doing fresh clone."
 fi
 
 info "building binary..."
+# check uid and maybe chown. see #8261
+if [ ! -z "$ELECBUILD_COMMIT" ] ; then  # fresh clone (reproducible build)
+    if [ $(id -u) != "1000" ] || [ $(id -g) != "1000" ] ; then
+        info "need to chown -R FRESH_CLONE dir. prompting for sudo."
+        sudo chown -R 1000:1000 "$FRESH_CLONE"
+    fi
+fi
 docker run -it \
     --name electrum-appimage-builder-cont \
     -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \

diff --git a/contrib/build-linux/sdist/.dockerignore b/contrib/build-linux/sdist/.dockerignore
@@ -1 +0,0 @@
-fresh_clone/

diff --git a/contrib/build-linux/sdist/build.sh b/contrib/build-linux/sdist/build.sh
@@ -35,18 +35,25 @@ docker build \
 # maybe do fresh clone
 if [ ! -z "$ELECBUILD_COMMIT" ] ; then
     info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout."
-    FRESH_CLONE="$CONTRIB_SDIST/fresh_clone/electrum" && \
-        rm -rf "$FRESH_CLONE" && \
-        umask 0022 && \
-        git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \
-        cd "$FRESH_CLONE"
+    FRESH_CLONE="/tmp/electrum_build/sdist/fresh_clone/electrum"
+    rm -rf "$FRESH_CLONE" 2>/dev/null || info "we need sudo to rm prev FRESH_CLONE." && sudo rm -rf "$FRESH_CLONE"
+    umask 0022
+    git clone "$PROJECT_ROOT" "$FRESH_CLONE"
+    cd "$FRESH_CLONE"
     git checkout "$ELECBUILD_COMMIT"
     PROJECT_ROOT_OR_FRESHCLONE_ROOT="$FRESH_CLONE"
 else
     info "not doing fresh clone."
 fi
 
 info "building binary..."
+# check uid and maybe chown. see #8261
+if [ ! -z "$ELECBUILD_COMMIT" ] ; then  # fresh clone (reproducible build)
+    if [ $(id -u) != "1000" ] || [ $(id -g) != "1000" ] ; then
+        info "need to chown -R FRESH_CLONE dir. prompting for sudo."
+        sudo chown -R 1000:1000 "$FRESH_CLONE"
+    fi
+fi
 docker run -it \
     --name electrum-sdist-builder-cont \
     -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \

diff --git a/contrib/build-wine/.dockerignore b/contrib/build-wine/.dockerignore
@@ -3,4 +3,3 @@ build/
 .cache/
 dist/
 signed/
-fresh_clone/
diff --git a/contrib/build-wine/build.sh b/contrib/build-wine/build.sh
@@ -37,18 +37,25 @@ docker build \
 # maybe do fresh clone
 if [ ! -z "$ELECBUILD_COMMIT" ] ; then
     info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout."
-    FRESH_CLONE="$CONTRIB_WINE/fresh_clone/electrum" && \
-        rm -rf "$FRESH_CLONE" && \
-        umask 0022 && \
-        git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \
-        cd "$FRESH_CLONE"
+    FRESH_CLONE="/tmp/electrum_build/windows/fresh_clone/electrum"
+    rm -rf "$FRESH_CLONE" 2>/dev/null || info "we need sudo to rm prev FRESH_CLONE." && sudo rm -rf "$FRESH_CLONE"
+    umask 0022
+    git clone "$PROJECT_ROOT" "$FRESH_CLONE"
+    cd "$FRESH_CLONE"
     git checkout "$ELECBUILD_COMMIT"
     PROJECT_ROOT_OR_FRESHCLONE_ROOT="$FRESH_CLONE"
 else
     info "not doing fresh clone."
 fi
 
 info "building binary..."
+# check uid and maybe chown. see #8261
+if [ ! -z "$ELECBUILD_COMMIT" ] ; then  # fresh clone (reproducible build)
+    if [ $(id -u) != "1000" ] || [ $(id -g) != "1000" ] ; then
+        info "need to chown -R FRESH_CLONE dir. prompting for sudo."
+        sudo chown -R 1000:1000 "$FRESH_CLONE"
+    fi
+fi
 docker run -it \
     --name electrum-wine-builder-cont \
     -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/wine64/drive_c/electrum \
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,4 +3,3 @@ build/ @@
     .cache/
     dist/
     signed/
-    fresh_clone/