In order to improve parity with the upstream Docker Hub Python image builds, the build scripts used for our Python binary builds have been adjusted as follows:
The Ubuntu security hardening compiler/linker flags are now retrieved using dpkg-buildflags and passed to the make invocation. See:
The directory into which Python is installed during packaging has been changed to make it clearer that this it is only a temporary packaging path (and so why this path doesn't match that used in the CNB for example), since Python is relocated by both this buildpack and the CNB into different locations.
These changes are being made now since we'll soon be generating new Python binaries/archives under a new URL structure, which will provide a safer/more convenient transition point to switching to these new compiler options (vs overwriting the existing archives on S3, or only making this change for new Python releases onwards).
GUS-W-14217295.
For reference, using Ubuntu 22.04 dpkg-buildflags --get CFLAGS currently returns:
-g -O2 -ffile-prefix-map=/=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security
And dpkg-buildflags --get LDFLAGS returns:
-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro
In order to improve parity with the upstream Docker Hub Python image builds, the build scripts used for our Python binary builds have been adjusted as follows:
dpkg-buildflags
and passed to themake
invocation. See:--build
architecture. See:After these changes, our compiler/linker options are now closer to: https://github.com/docker-library/python/blob/330331fbe3c8d19befaba10ee329c5bf3a9dc225/3.12/slim-bookworm/Dockerfile#L70-L89
These changes are being made now since we'll soon be generating new Python binaries/archives under a new URL structure, which will provide a safer/more convenient transition point to switching to these new compiler options (vs overwriting the existing archives on S3, or only making this change for new Python releases onwards).
GUS-W-14217295.
For reference, using Ubuntu 22.04
dpkg-buildflags --get CFLAGS
currently returns:-g -O2 -ffile-prefix-map=/=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security
And
dpkg-buildflags --get LDFLAGS
returns:-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro