pjonsson
commented
1 week ago @alexgleith according to the commit logs it was you who removed the previously existing build-stage of the Dockerfile. What do you say about re-introducing it? There's a substantial saving in image size, and a fair amount of fewer security vulnerabilities flagged by Trivy.
This PR builds the binary wheels in the build stage of the container and installs them in the "real" container. I'm not sure how to put the wheels in the requirements.txt so it works with pip-compile, or if we perhaps could drop the pip-compile step completely (which would reduce the number of releases required since a rebuild of the image would give security updates).
And as a general remark, I cannot understand how the CI tests did not trigger the eodatasets3 distutils dependency problem until now.
The image currently has 840 security vulnerabilities according to Trivy. Many of those vulnerabilities are in the development packages, so add a build stage to the Dockerfile so the development packages do not end up in the final image. This reduces the final image size by roughly 1/3 of its size.
Since everything is being changed, also replace wget with curl, so we get error messages on HTTP failures (wget -q silences everything including error printouts, and the behavior cannot be overridden).