chore: modernize Dockerfile and document glibc floor

Author: lidel

Dockerfile

@@ -1,12 +1,21 @@
+# Pinned intentionally. Do NOT bump the base image without revisiting
+# build-go.sh's glibc-check assertion (`minor < 32`). Ubuntu 20.04 ships
+# glibc 2.31, which caps CGO-linked linux/amd64 binaries at GLIBC_2.31
+# symbols, keeping dist.ipfs.tech tarballs runnable on CentOS 7/RHEL 7,
+# RHEL 8/9, Ubuntu 18.04/20.04, and Debian 10/11. Upgrading the base
+# image is a user-facing compat break and must be announced in release
+# notes. Revisit by 2026-08 (Debian 11 LTS EOL) to pick the next floor.
 FROM ubuntu:20.04
 
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
+ENV TZ=Etc/UTC
 ARG USER_UID
 
 ARG KUBO_VER
-RUN apt-get update -q && apt-get install -y git curl gnupg jq build-essential gawk zip tzdata && \
-    ln -fs /usr/share/zoneinfo/Etc/UTC /etc/localtime && \
-    dpkg-reconfigure --frontend noninteractive tzdata
+RUN apt-get update -q \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates git curl gnupg jq build-essential gawk zip tzdata \
+    && rm -rf /var/lib/apt/lists/*
 
 RUN curl -sS --retry 5 \
     "https://dist.ipfs.tech/kubo/${KUBO_VER}/kubo_${KUBO_VER}_linux-amd64.tar.gz" -o /tmp/kubo.tar.gz && \
@@ -18,15 +27,15 @@ RUN curl -sS --retry 5 \
     | tar -xz -C /usr/local/bin asdf
 
 RUN adduser --shell /bin/bash --home /asdf --disabled-password --gecos asdf asdf --uid $USER_UID
-ENV ASDF_DATA_DIR=/asdf/.asdf
-ENV PATH="${PATH}:/asdf/.asdf/shims"
+ENV ASDF_DATA_DIR=/asdf/.asdf \
+    PATH="${PATH}:/asdf/.asdf/shims"
 
 USER asdf
 WORKDIR /asdf
 
-RUN asdf plugin add golang
-RUN asdf plugin add nodejs
-ADD .tool-versions .
+RUN asdf plugin add golang \
+    && asdf plugin add nodejs
+COPY .tool-versions .
 
 RUN asdf install
 
@@ -37,7 +46,8 @@ RUN go install github.com/guseggert/glibc-check/cmd/glibc-check@v0.0.0-202111301
 
 ARG CACHEBUST=undefined
 USER root
-RUN apt-get update && apt-get -y upgrade
+RUN apt-get update && apt-get -y upgrade \
+    && rm -rf /var/lib/apt/lists/*
 
 USER asdf
 WORKDIR /build

build-go.sh

@@ -115,6 +115,11 @@ function goBuild() {
 			return 1
 		fi
 
+		# Enforce the glibc ABI floor: linux/amd64 tarballs published to
+		# dist.ipfs.tech must not require glibc symbols newer than GLIBC_2.31,
+		# so they keep running on hosts as old as CentOS 7-era glibc (~2.14).
+		# The Dockerfile is pinned to ubuntu:20.04 (glibc 2.31) to bound this;
+		# raising the base image without raising this assertion breaks users.
 		if [ -x "$(which glibc-check)" ] && [ "$GOOS" == "linux" ] && [ "$GOARCH" == "amd64" ]; then
 			echo "GLIBC versions:"
 			glibc-check list-versions "$output"