From d85cf42c5541e1827197397412480a61004d089f Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Tue, 20 Sep 2016 10:14:46 -0700
Subject: [PATCH] Use "wget" instead of "curl" and add a comment to help us
 remember why we turn off "ENABLE_PATH_CHECK"

---
 Dockerfile-alpine.template | 39 ++++++++++++++++++++++++++------------
 Dockerfile-slim.template   | 28 +++++++++++++++++++++------
 Dockerfile.template        | 26 ++++++++++++++++++++-----
 3 files changed, 70 insertions(+), 23 deletions(-)

diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 85c3f125a..7c7e4f5a4 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -13,8 +13,10 @@ ENV RUBY_DOWNLOAD_SHA256 %%SHA256%%
 ENV RUBYGEMS_VERSION %%RUBYGEMS%%
 
 # some of ruby's build scripts are written in ruby
-# we purge this later to make sure our final image uses what we just built
+#   we purge system ruby later to make sure our final image uses what we just built
+# readline-dev vs libedit-dev: https://bugs.ruby-lang.org/issues/11869 and https://github.com/docker-library/ruby/issues/75
 RUN set -ex \
+	\
 	&& apk add --no-cache --virtual .ruby-builddeps \
 		autoconf \
 		bison \
@@ -22,7 +24,6 @@ RUN set -ex \
 		bzip2-dev \
 		ca-certificates \
 		coreutils \
-		curl \
 		gcc \
 		gdbm-dev \
 		glib-dev \
@@ -33,27 +34,40 @@ RUN set -ex \
 		linux-headers \
 		make \
 		ncurses-dev \
+		openssl \
 		openssl-dev \
 		procps \
-# https://bugs.ruby-lang.org/issues/11869 and https://github.com/docker-library/ruby/issues/75
 		readline-dev \
 		ruby \
+		tar \
 		yaml-dev \
 		zlib-dev \
-	&& curl -fSL -o ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
+	\
+	&& wget -O ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
 	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.gz" | sha256sum -c - \
-	&& mkdir -p /usr/src \
-	&& tar -xzf ruby.tar.gz -C /usr/src \
-	&& mv "/usr/src/ruby-$RUBY_VERSION" /usr/src/ruby \
+	\
+	&& mkdir -p /usr/src/ruby \
+	&& tar -xzf ruby.tar.gz -C /usr/src/ruby --strip-components=1 \
 	&& rm ruby.tar.gz \
+	\
 	&& cd /usr/src/ruby \
-	&& { echo '#define ENABLE_PATH_CHECK 0'; echo; cat file.c; } > file.c.new && mv file.c.new file.c \
+	\
+# hack in "ENABLE_PATH_CHECK" disabling to suppress:
+#   warning: Insecure world writable dir
+	&& { \
+		echo '#define ENABLE_PATH_CHECK 0'; \
+		echo; \
+		cat file.c; \
+	} > file.c.new \
+	&& mv file.c.new file.c \
+	\
 	&& autoconf \
-	# the configure script does not detect isnan/isinf as macros
+# the configure script does not detect isnan/isinf as macros
 	&& ac_cv_func_isnan=yes ac_cv_func_isinf=yes \
 		./configure --disable-install-doc \
 	&& make -j"$(getconf _NPROCESSORS_ONLN)" \
 	&& make install \
+	\
 	&& runDeps="$( \
 		scanelf --needed --nobanner --recursive /usr/local \
 			| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
@@ -64,15 +78,16 @@ RUN set -ex \
 	&& apk add --virtual .ruby-rundeps $runDeps \
 		bzip2 \
 		ca-certificates \
-		curl \
 		libffi-dev \
 		openssl-dev \
 		yaml-dev \
 		procps \
 		zlib-dev \
 	&& apk del .ruby-builddeps \
-	&& gem update --system $RUBYGEMS_VERSION \
-	&& rm -r /usr/src/ruby
+	&& cd / \
+	&& rm -r /usr/src/ruby \
+	\
+	&& gem update --system "$RUBYGEMS_VERSION"
 
 ENV BUNDLER_VERSION %%BUNDLER%%
 
diff --git a/Dockerfile-slim.template b/Dockerfile-slim.template
index 78413a038..74774ab9f 100644
--- a/Dockerfile-slim.template
+++ b/Dockerfile-slim.template
@@ -4,7 +4,6 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 		bzip2 \
 		ca-certificates \
-		curl \
 		libffi-dev \
 		libgdbm3 \
 		libssl-dev \
@@ -26,8 +25,9 @@ ENV RUBY_DOWNLOAD_SHA256 %%SHA256%%
 ENV RUBYGEMS_VERSION %%RUBYGEMS%%
 
 # some of ruby's build scripts are written in ruby
-# we purge this later to make sure our final image uses what we just built
+#   we purge system ruby later to make sure our final image uses what we just built
 RUN set -ex \
+	\
 	&& buildDeps=' \
 		autoconf \
 		bison \
@@ -41,24 +41,40 @@ RUN set -ex \
 		libxslt-dev \
 		make \
 		ruby \
+		wget \
 	' \
 	&& apt-get update \
 	&& apt-get install -y --no-install-recommends $buildDeps \
 	&& rm -rf /var/lib/apt/lists/* \
-	&& curl -fSL -o ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
+	\
+	&& wget -O ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
 	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.gz" | sha256sum -c - \
+	\
 	&& mkdir -p /usr/src/ruby \
 	&& tar -xzf ruby.tar.gz -C /usr/src/ruby --strip-components=1 \
 	&& rm ruby.tar.gz \
+	\
 	&& cd /usr/src/ruby \
-	&& { echo '#define ENABLE_PATH_CHECK 0'; echo; cat file.c; } > file.c.new && mv file.c.new file.c \
+	\
+# hack in "ENABLE_PATH_CHECK" disabling to suppress:
+#   warning: Insecure world writable dir
+	&& { \
+		echo '#define ENABLE_PATH_CHECK 0'; \
+		echo; \
+		cat file.c; \
+	} > file.c.new \
+	&& mv file.c.new file.c \
+	\
 	&& autoconf \
 	&& ./configure --disable-install-doc \
 	&& make -j"$(nproc)" \
 	&& make install \
+	\
 	&& apt-get purge -y --auto-remove $buildDeps \
-	&& gem update --system $RUBYGEMS_VERSION \
-	&& rm -r /usr/src/ruby
+	&& cd / \
+	&& rm -r /usr/src/ruby \
+	\
+	&& gem update --system "$RUBYGEMS_VERSION"
 
 ENV BUNDLER_VERSION %%BUNDLER%%
 
diff --git a/Dockerfile.template b/Dockerfile.template
index bbf0b2489..90b0b1fbb 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -13,8 +13,9 @@ ENV RUBY_DOWNLOAD_SHA256 %%SHA256%%
 ENV RUBYGEMS_VERSION %%RUBYGEMS%%
 
 # some of ruby's build scripts are written in ruby
-# we purge this later to make sure our final image uses what we just built
+#   we purge system ruby later to make sure our final image uses what we just built
 RUN set -ex \
+	\
 	&& buildDeps=' \
 		bison \
 		libgdbm-dev \
@@ -23,20 +24,35 @@ RUN set -ex \
 	&& apt-get update \
 	&& apt-get install -y --no-install-recommends $buildDeps \
 	&& rm -rf /var/lib/apt/lists/* \
-	&& curl -fSL -o ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
+	\
+	&& wget -O ruby.tar.gz "https://cache.ruby-lang.org/pub/ruby/$RUBY_MAJOR/ruby-$RUBY_VERSION.tar.gz" \
 	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.gz" | sha256sum -c - \
+	\
 	&& mkdir -p /usr/src/ruby \
 	&& tar -xzf ruby.tar.gz -C /usr/src/ruby --strip-components=1 \
 	&& rm ruby.tar.gz \
+	\
 	&& cd /usr/src/ruby \
-	&& { echo '#define ENABLE_PATH_CHECK 0'; echo; cat file.c; } > file.c.new && mv file.c.new file.c \
+	\
+# hack in "ENABLE_PATH_CHECK" disabling to suppress:
+#   warning: Insecure world writable dir
+	&& { \
+		echo '#define ENABLE_PATH_CHECK 0'; \
+		echo; \
+		cat file.c; \
+	} > file.c.new \
+	&& mv file.c.new file.c \
+	\
 	&& autoconf \
 	&& ./configure --disable-install-doc \
 	&& make -j"$(nproc)" \
 	&& make install \
+	\
 	&& apt-get purge -y --auto-remove $buildDeps \
-	&& gem update --system $RUBYGEMS_VERSION \
-	&& rm -r /usr/src/ruby
+	&& cd / \
+	&& rm -r /usr/src/ruby \
+	\
+	&& gem update --system "$RUBYGEMS_VERSION"
 
 ENV BUNDLER_VERSION %%BUNDLER%%