Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 9DC9E781A72
	for <~alpine/devel@lists.alpinelinux.org>; Wed,  5 May 2021 05:06:09 +0000 (UTC)
Received: by mail-vk1-f181.google.com with SMTP id l124so172173vkh.7
        for <~alpine/devel@lists.alpinelinux.org>; Tue, 04 May 2021 22:06:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=BiYh+QeZU9GYwpmGwMceVVfkiNfu8ikO29QT0KIw45k=;
        b=RbTqvSP6xDs65H5YQyJZMF1UEiabbxtWbp5QqOS6xuCVpYfUeiX8wAtn8gv6pn932W
         wVj8HR8b3WW/Qu3VixHuM/TUAtbNaAmUbJdIGJgyWKOfO9gcA/Mz+COp7yfDPF3CFHEo
         CSGTwjC63cvh8E8x9jjkJ2blHq5VzTY2rOG4rP03pSuZ/Rv9pIDyovIdfbQWOuQwjsrS
         H/mYB7SvDbL7SwBYTeKLPkTxc4ApCnkxStjq8wGTXXjPOQUKqg3QaLUs3NHUE/3mzpab
         qfDWFOSREtkgTF+uUqQ+s7EMCtE5Zpt/BWIWUvnXquJhM9vWZ1I+9uly3vYYOxaTCVpo
         D0FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=BiYh+QeZU9GYwpmGwMceVVfkiNfu8ikO29QT0KIw45k=;
        b=bT802NI4wSokjwmZ6VX6C9qn3r43qhGzTMnCF2aTRKhH4/3ixoW7cBYkMf7NUbc1wU
         LMIgTOMoMVFeX/2bRz5Jq7DspBInSkLRElOUzITLZzNxqbR+SoKy0Pr1mztBnlHmA2Fz
         Iavj1N5/Gp0qfXndLbJJ1iE/7DzLkUUI1Tbm4EX/EKo1fYJFvCEBHcuwrpCFBNN3eORB
         A0NUleaCbFG8ZGxUFS81Weugist5RbEGcSs+nP5Kmd5ntRXevuDt1W29BA+20CifYNt0
         kfvN0IUceIsmEC5ylWiF1hvm0ijTmQUMgFbZuI2DLLqwtS14+xWSlSh4DfGISGHYKBpx
         dOlg==
X-Gm-Message-State: AOAM533ODL1sb8SUa99/O16XS3jiXyGANqCiEsl6wQkWAcRvs8NGPIC6
	Lo7rpYxD8oG8DkIzbNEPpcCYMaKFggc3TBZB5wnwNdd5wXE=
X-Google-Smtp-Source: ABdhPJzGy9P1ZLvtJLdSLb6VKsg5tZZ2rW2NT4yZtttQTknxhTg3FQz8euU6tHKB9nDnGBOAgCRmfboWMJBCzEHeAgA=
X-Received: by 2002:a1f:a010:: with SMTP id j16mr17681985vke.18.1620191168347;
 Tue, 04 May 2021 22:06:08 -0700 (PDT)
MIME-Version: 1.0
From: Ross Younger <crazyscot@gmail.com>
Date: Wed, 5 May 2021 17:05:57 +1200
Message-ID: <CA+gy4ieuXLuQddxmPuiucyZbut=14cR8tgmGrh0qE9qLDBivmg@mail.gmail.com>
Subject: Containerised APK builds and security xattrs
To: ~alpine/devel@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"

I am building my own APKs for local use, targeting alpine 3.13.

It seems that abuild causes package contents to inherit security
xattrs from the host OS (if present). This is tripping me up as these
packages fail to install on a container hosted by an OS that doesn't
have security contexts enabled.

I use Bitbucket for source control and am trying to set up
containerised CI in Bitbucket pipelines.
When I build my container using Bitbucket Pipelines the APK is
different from when I build locally!

When built on-cloud, the files in the APK contain security.selinux
xattrs. When built locally, they don't. (I have a script that runs the
Bitbucket pipeline in a local container, so I'm pretty sure the same
build steps are being followed.)

Installing an APK built on the cloud to a container on my local machine fails:

    /here # apk add --allow-untrusted date_h-dev-3.0.0-r2.apk
    (1/1) Installing date_h-dev (3.0.0-r2)
    ERROR: Failed to set xattrs on
usr/include/date/.apk.13d8a17d6f42822d457261eae2fa9ea9ba43faf2c673bf68:
Operation not permitted
    [...]
    1 error; 211 MiB in 53 packages

I have dug far enough to find that abuild explicitly calls `tar
--xattrs ...' when creating the package, and that `apk add' is simply
attempting to preserve that.

Is there any chance that that `tar --xattrs' in abuild might one day
change to --no-xattrs, or to something more complex that filters out
selinux xattrs? Perhaps you have a good reason for explicitly
including xattrs.

Or am I better off using something other than Bitbucket? Are there any
CI services you recommend (or disrecommend) for building APKs?

Thanks for your attention.

Ross