> -----Original Message-----
> From: Richard Henderson <richard.henderson@linaro.org>
...
> On 10/1/21 12:59 PM, Brian Cain wrote:
> > Alex,
> >
> > We need to update the docker container used for hexagon for new test cases
> proposed in Taylor's recent patch series under review. Thankfully, CodeLinaro
> has provided a binary of the hexagon cross toolchain so now I think we can
> simplify the hexagon docker file to something like the below. I hope this also
> means that we can remove the exceptional handling for the hexagon container.
> >
> > I can propose a patch but I'm not quite certain how to test it.
>
> make docker-image-debian-hexagon-cross NOCACHE=1 V=1
>
> and then make check-tcg to use the new image.
Ok -- so the intent of the NOCACHE is that it will force the use of my newly modified Dockerfile and not the one in the qemu container repository?
> > The "--no-check-certificate" argument to wget is very bad but I'm not quite
> certain how to upgrade/change the container's certificate store to accept the
> apparently-legit-but-perhaps-newer-than-expected certificate presented by
> codelinaro.jfrog.io.
>
> Hum. This all suggests that it would be better to update the build-toolchain
> script.
If there's any trust concerns we can verify the download in the dockerfile using the hash file for the tarball and/or the gpg signature.
The build-toolchain is a bit of a hassle given the processing time, it'd be great to avoid it. If the hash or signature check doesn't suffice I will investigate how to update debian10's signatures. Are we bound to debian10 for all the containers? If using a different basis was effective at resolving this issue, could I select a different one?
Sure, debian11 is now stable. We try and avoid rolling releases as a base but the latest debian should be fine.
> > RUN cd /tmp && \
> > wget --quiet --no-check-certificate ${CLANG_URL}
> > RUN cd /opt && \
> > tar xf /tmp/clang+llvm-Sept-2021-cross-hexagon-unknown-linux-
> musl.tar.xz
>
> You'd want to remove the tarball as well.
Yes, good point.