The upstream build of the fuzzer currently builds freetype --without-zlib
and --without-png so these are not needed. In addition, because of the
way these dependencies are used they must be built with the sanitizer in
order to detect interesting issues like CVE-2020-15999, where FreeType
may call into libpng incorrectly but it is libpng which actually does
the reads and writes. This has been proposed upstream at
https://github.com/freetype/freetype2-testing/pull/86 which uses
prefixes to ensure that the system symbols are never used, but it would
be beneficial to not have them available at all.
- Build the known target `ftfuzzer' with FreeType's new, dedicated testing repository.
- Move most of the build logic regarding the fuzz targets to FreeType's repository.
https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
I ran into this because I was getting errors locally, like:
E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/d/dpkg/libdpkg-perl_1.18.4ubuntu1.1_all.deb 404 Not Found [IP: 91.189.88.149 80]
It turns out you get these if you don't update, and the official best practices are to `run apt-get update && apt-get install`. In fact, running _any_ apt-get install command without the apt-get update && before it can result in unfortunate caching artifacts -- see "cache busting". (P.S. thanks to Peng on Freenode for helping me, I'm bad at Ubuntu.)
So:
sed -re \
's/RUN apt-get ((-y )?(install|build-dep))/RUN apt-get update \&\& apt-get \1/' -i \
projects/**/Dockerfile
I also manually fixed the cases that already ran apt-get update in their Dockerfile:
dlplibs/Dockerfile
grpc/Dockerfile
libreoffice/Dockerfile
bungeman