Update to digikam 7.4.0 release.

Changes: * Update baseimage-gui to use Debian 11; required by Digikam. * Mitigate CVE-2021-44228 via Debian 11. * Custom baseimage-gui build until a public Debian 11 release occurs. The 7.4.0 release requires Debian 11 as well as mitigating CVE-2021-44228. Debian 11 baseimage has not been released stable yet; therefore a custom build has been created. As such, 7.4.0 will not be in the 'stable' release until it is publically released and the build is reproducible without patches. Build reproduction instructions are located in Dockerfile.
r-pufky · Dec 18, 2021 · 2227fe1 · 2227fe1
1 parent 2d913f8
commit 2227fe1
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,32 @@
-FROM jlesage/baseimage-gui:debian-10
+# TODO(debian-11): Debian 11 has not been released yet for baseimage-gui.
+#     This is currently being worked on in the v4 release branch:
+#
+#     https://github.com/jlesage/docker-baseimage-gui/tree/v4
+#
+#     Digikam 7.4.0 requires libraries present in Debian 11, as well as
+#     mitigating any potential issues with CVE-2021-44228 (log4j) from any
+#     dependencies. See: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+#
+#     It has been decided to build a pre-release debian-11 image to mitigate
+#     this potential vulnerability as well as release digikam 7.4.0. It will
+#     **NOT** be considered stable until debian-11 is released for
+#     baseimage-gui.
+#
+#     Currently, this means the the build **IS NOT** reproducible without
+#     patches. These are included in patches/ to manually reproduce (with some
+#     docker user changes).
+#
+#     Manual build reproduction:
+#       git clone https://github.com/jlesage/docker-baseimage-gui
+#       cd docker-baseimage-gui
+#       git checkout remotes/origin/v4
+#       git apply ../digikam/patches/docker-baseimage-gui.3077e2c.patch
+#       docker build -t rpufky/baseimage-gui:debian-11 .
+#
+
+# TODO(debian-11): revert when debian-11 jlesage image is released.
+#FROM jlesage/baseimage-gui:debian-10
+FROM rpufky/baseimage-gui:debian-11
 ARG digikam_version=unknown
 
 ENV APP_NAME=$digikam_version \
@@ -40,6 +68,7 @@ COPY squashfs-root/ /digikam/
 # libimage-exiftool-perl - 7.3.0 needed for digikam base.
 # firefox-esr            - 7.3.0 needed for smugmug auth.   
 # firefox-esr-l10n-all   - 7.3.0 needed for smugmug auth.
+# libgl1-mesa-glx        - 7.4.0 needed for digikam base.
 # Ensure en.UTF-8 set for locale.
 RUN \
   update-locale LANG=${LANG} && \
@@ -56,6 +85,7 @@ RUN \
   libimage-exiftool-perl \
   firefox-esr \ 
   firefox-esr-l10n-all \
+  libgl1-mesa-glx \
   dbus && \
   apt-get clean autoclean && \
   apt-get autoremove --yes && \

diff --git a/Makefile b/Makefile
@@ -5,8 +5,8 @@
 #
 # TODO: De-duplicate stable/unstable and finish simplifying build options.
 #
-version            = 7.3.0
-pre_release        = 7.3.0
+version            = 7.4.0
+pre_release        = 7.4.0
 BUILD_DIR          = digikam-build
 STAGING_DIR        = $(BUILD_DIR)/staging
 GPG_DIR            = $(BUILD_DIR)/gpg

diff --git a/README.md b/README.md
@@ -5,12 +5,22 @@ runs on Linux, Windows, and MacOS. The application provides a comprehensive set
 of tools for importing, managing, editing, and sharing photos and raw files.
 
 This is a docker image that uses the [digikam AppImage][f9] combined with
-[jlesage/baseimage-gui:debian9][5t] to enable dockerized digikam usage with all
+[jlesage/baseimage-gui:debian10][5t] to enable dockerized digikam usage with all
 plugins via any modern web browser without additional client configuration.
 
 Please read documentation on [jlesage/baseimage-gui][5t] for detailed baseimage
 usage.
 
+:warning:
+The 7.4.0 release requires Debian 11 as well as mitigating [CVE-2021-44228][7g].
+
+Debian 11 baseimage has not been released stable yet; therefore a custom build
+has been created. As such, 7.4.0 will not be in the 'stable' release until
+it is publically released and the build is reproducible without patches.
+
+Build reproduction instructions are located in [Dockerfile](Dockerfile).
+:warning:
+
 ## Version Tags
 This image provides various versions that are available via tags. Use `stable`
 or an explicit digikam version (e.g. 7.3.0), which will provide updates but
@@ -23,7 +33,7 @@ minimize unexpected changes.
 
 | Tag    | Description             | Comment                                                         |
 |--------|-------------------------|-----------------------------------------------------------------|
-| latest | digikam container 7.3.0 | [7.3.0 Release](https://download.kde.org/stable/digikam/7.3.0/) |
+| latest | digikam container 7.4.0 | [7.4.0 Release](https://download.kde.org/stable/digikam/7.4.0/) |
 | stable | digikam container 7.3.0 | [7.3.0 Release](https://download.kde.org/stable/digikam/7.3.0/) |
 
 * All binaries are based on the [jlesaige/baseimage-gui:debian9][5t] base image.
@@ -271,3 +281,4 @@ unmodified and copied under this license.
 [b7]: https://github.com/r-pufky/digikam/blob/master/media/digikam-setup-db.png?raw=true
 [b2]: https://github.com/r-pufky/digikam/blob/master/RELEASE.md
 [c8]: https://github.com/r-pufky/digikam/blob/master/media/digikam-setup-faces.png?raw=true
+[7g]: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
diff --git a/RELEASE.md b/RELEASE.md
@@ -5,6 +5,24 @@ Uses semantic versioning, with an additional container version number:
 
 ## Unreleased
 
+## 7.4.0
+Digikam [7.4.0 release][9f].
+
+:warning:
+The 7.4.0 release requires Debian 11 as well as mitigating [CVE-2021-44228][7g].
+
+Debian 11 baseimage has not been released stable yet; therefore a custom build
+has been created. As such, 7.4.0 will not be in the 'stable' release until
+it is publically released and the build is reproducible without patches.
+
+Build reproduction instructions are located in [Dockerfile](Dockerfile).
+:warning:
+
+Changes:
+* Update baseimage-gui to use Debian 11; required by Digikam.
+* Mitigate [CVE-2021-44228][7g] via Debian 11.
+* Custom baseimage-gui build until a public Debian 11 release occurs.
+
 ## 7.3.0
 Digikam [7.3.0 release][9f].
 
@@ -124,3 +142,4 @@ Fixes:
 [9d]: https://cgit.kde.org/digikam.git/tree/project/NEWS.6.3.0
 [8v]: https://cgit.kde.org/digikam.git/tree/project/NEWS.6.2.0
 [3g]: https://keepachangelog.com/en/1.0.0/
+[7g]: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
diff --git a/patches/docker-baseimage-gui.3077e2c.patch b/patches/docker-baseimage-gui.3077e2c.patch
@@ -0,0 +1,31 @@
+diff --git a/.github/workflows/build-baseimage.yml b/.github/workflows/build-baseimage.yml
+index 60998bd..be1d1b9 100644
+--- a/.github/workflows/build-baseimage.yml
++++ b/.github/workflows/build-baseimage.yml
+@@ -1,8 +1,8 @@
+ name: Docker Baseimage CI
+
+ env:
+-  DOCKERHUB_USERNAME: jlesage
+-  DOCKER_IMAGE_NAME: jlesage/baseimage-gui
++  DOCKERHUB_USERNAME: rpufky
++  DOCKER_IMAGE_NAME: rpufky/baseimage-gui
+
+ on:
+   push:
+diff --git a/Dockerfile b/Dockerfile
+index c8f42f5..f02ddc7 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -4,7 +4,10 @@
+ # https://github.com/jlesage/docker-baseimage-gui
+ #
+
+-ARG BASEIMAGE=unknown
++#ARG BASEIMAGE=unknown
++ARG BASEIMAGE=jlesage/baseimage:debian-11-v3.0.0-pre.6
++ARG BUILDPLATFORM=linux/amd64
++
+
+ # Define the Alpine packages to be installed into the image.
+ ARG ALPINE_PKGS="\