Skip to content

build: install automake 1.16.5 from source in dev container #783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
yutaro-sakamoto wants to merge 3 commits into
base: develop
Choose a base branch
from
Draft

build: install automake 1.16.5 from source in dev container #783

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b30eff4
build: install automake 1.16.5 from source in dev container
yutaro-sakamoto Feb 4, 2026
b8faa82
fix: a hadlint warning
yutaro-sakamoto Feb 4, 2026
4be0862
fix: remove the process verifying the checksum
yutaro-sakamoto Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions .devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# classpath settings
ENV CLASSPATH=:/usr/lib/opensourcecobol4j/libcobj.jar

# hadolint ignore=DL3041
# hadolint ignore=DL3041,DL3003
RUN dnf update -y \
&& dnf install -y --setopt=install_weak_deps=False \
epel-release \
Expand All @@ -14,7 +14,6 @@ RUN dnf update -y \
make \
bison \
flex \
automake \
autoconf \
diffutils \
gettext \
Expand All @@ -24,7 +23,16 @@ RUN dnf update -y \
libtool \
gettext-devel \
unzip \
wget \
&& dnf clean all \
&& rm -rf /var/cache/dnf
&& rm -rf /var/cache/dnf \
&& wget -q https://ftp.gnu.org/gnu/automake/automake-1.16.5.tar.gz \
&& tar xzf automake-1.16.5.tar.gz \
&& cd automake-1.16.5 \
&& ./configure \
&& make -j"$(nproc)" \
&& make install \
Comment on lines +29 to +34
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dockerfile downloads and builds automake-1.16.5.tar.gz directly from https://ftp.gnu.org and executes its configure/make as root without any checksum or signature verification, which introduces a supply chain risk. If an attacker can compromise or MITM the download host, they can serve a malicious tarball that will be built and installed into the dev container, potentially exfiltrating source code or secrets from developers' environments. To reduce this risk, verify the archive's integrity (e.g., pinned checksum or signature) or rely on a trusted, managed package source instead of an ad-hoc wget+build step.

Copilot uses AI. Check for mistakes.
&& cd .. \
&& rm -rf automake-1.16.5 automake-1.16.5.tar.gz
Comment on lines +29 to +36
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR installs automake 1.16.5 from source in the dev container to ensure version consistency, but the static-analysis.yml workflow (line 27) still installs automake via dnf, which may result in a different version. This inconsistency could lead to build differences between the dev container and the CI environment.

For true consistency across environments as stated in the PR description, consider also updating static-analysis.yml to install the same automake version from source.

Copilot uses AI. Check for mistakes.

Comment on lines +30 to 37
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DL3003 hadolint rule warns against using 'cd' in a RUN instruction instead of WORKDIR. While the current suppression allows the build to work, using WORKDIR would be more aligned with Docker best practices and make directory changes more explicit.

Consider refactoring the automake installation to use WORKDIR for better clarity and to follow Docker conventions, though this would require splitting the RUN instruction or accepting the additional layer.

Suggested change
&& tar xzf automake-1.16.5.tar.gz \
&& cd automake-1.16.5 \
&& ./configure \
&& make -j"$(nproc)" \
&& make install \
&& cd .. \
&& rm -rf automake-1.16.5 automake-1.16.5.tar.gz
&& tar xzf automake-1.16.5.tar.gz
WORKDIR /automake-1.16.5
RUN ./configure \
&& make -j"$(nproc)" \
&& make install \
&& rm -rf /automake-1.16.5 /automake-1.16.5.tar.gz
WORKDIR /

Copilot uses AI. Check for mistakes.
RUN echo 'export CLASSPATH=:/usr/lib/opensourcecobol4j/libcobj.jar' >> ~/.bashrc
1 change: 1 addition & 0 deletions .github/workflows/check-dev-container.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,5 @@ jobs:
make
make install
cobj --version
automake --version
push: never