From ec0e419275125a4706ef1e459222df1914254c10 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 2 Feb 2026 23:49:12 -0500
Subject: [PATCH] Use native Wolfi base images for Android and Linux variants

- Dockerfile.android: Use flutter-sdk-android-latest base with OpenJDK 17
- Dockerfile.linux: Use flutter-sdk-linux-latest base with clang/GTK3

Removes all Debian library copying, eliminating Debian-sourced CVEs.
Significantly simplifies both Dockerfiles.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 Dockerfile.android | 40 ++++++-------------------------
 Dockerfile.linux   | 59 ++--------------------------------------------
 2 files changed, 9 insertions(+), 90 deletions(-)

diff --git a/Dockerfile.android b/Dockerfile.android
index e793079..dc7343c 100644
--- a/Dockerfile.android
+++ b/Dockerfile.android
@@ -1,4 +1,4 @@
-FROM svrnty/base-distro:flutter-sdk-latest AS base
+FROM svrnty/base-distro:flutter-sdk-android-latest
 
 ARG FLUTTER_VERSION=3.38.9
 ARG ANDROID_SDK_TOOLS_VERSION=11076708
@@ -9,23 +9,13 @@ LABEL org.opencontainers.image.title="flutter-sdk-android"
 LABEL org.opencontainers.image.description="Flutter SDK for Android CI builds"
 LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"
 
-# --- Install JDK and Android SDK in debian (requires apt + shared libs) ---
-FROM debian:bookworm-slim AS android-stage
+USER 0
 
-ARG ANDROID_SDK_TOOLS_VERSION=11076708
-ARG ANDROID_COMPILE_SDK=36
-ARG ANDROID_BUILD_TOOLS=36.0.0
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    unzip \
-    openjdk-17-jdk-headless \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+# Set up Android SDK environment
 ENV ANDROID_HOME=/opt/android-sdk
-ENV PATH="${JAVA_HOME}/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/platform-tools:${PATH}"
+ENV PATH="${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/platform-tools:${PATH}"
 
+# Download and install Android SDK command-line tools
 RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
     curl -fsSL "https://dl.google.com/android/repository/commandlinetools-linux-${ANDROID_SDK_TOOLS_VERSION}_latest.zip" \
       -o /tmp/cmdline-tools.zip && \
@@ -33,30 +23,14 @@ RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
     mv /tmp/cmdline-tools/cmdline-tools "${ANDROID_HOME}/cmdline-tools/latest" && \
     rm -rf /tmp/cmdline-tools.zip /tmp/cmdline-tools
 
+# Accept licenses and install SDK components
 RUN yes | sdkmanager --licenses > /dev/null 2>&1 && \
     sdkmanager --install \
       "platform-tools" \
       "platforms;android-${ANDROID_COMPILE_SDK}" \
       "build-tools;${ANDROID_BUILD_TOOLS}"
 
-# --- Build final image ---
-FROM base
-
-USER 0
-
-# Copy JDK and its required shared libraries from debian
-COPY --from=android-stage /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/java-17-openjdk-amd64
-COPY --from=android-stage /usr/lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu
-COPY --from=android-stage /lib/x86_64-linux-gnu /lib/x86_64-linux-gnu
-ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
-ENV PATH="${JAVA_HOME}/bin:${PATH}"
-
-# Copy Android SDK (already set up with licenses and components)
-COPY --from=android-stage /opt/android-sdk /opt/android-sdk
-ENV ANDROID_HOME=/opt/android-sdk
-ENV PATH="${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/platform-tools:${PATH}"
-
-# Download Flutter SDK and strip unnecessary files in a single layer
+# Download Flutter SDK and strip unnecessary files
 RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \
       -o /tmp/flutter.tar.xz && \
     tar xf /tmp/flutter.tar.xz -C /opt && \
diff --git a/Dockerfile.linux b/Dockerfile.linux
index 9fa499e..bc01f65 100644
--- a/Dockerfile.linux
+++ b/Dockerfile.linux
@@ -1,4 +1,4 @@
-FROM svrnty/base-distro:flutter-sdk-latest AS base
+FROM svrnty/base-distro:flutter-sdk-linux-latest
 
 ARG FLUTTER_VERSION=3.38.9
 
@@ -6,25 +6,9 @@ LABEL org.opencontainers.image.title="flutter-sdk-linux"
 LABEL org.opencontainers.image.description="Flutter SDK for Linux desktop CI builds"
 LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"
 
-# --- Install Linux desktop build deps in debian ---
-FROM debian:bookworm-slim AS deps-stage
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    clang \
-    cmake \
-    ninja-build \
-    pkg-config \
-    libgtk-3-dev \
-    liblzma-dev \
-    libstdc++-12-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# --- Build final image ---
-FROM base
-
 USER 0
 
-# Download Flutter SDK and strip unnecessary files in a single layer
+# Download Flutter SDK and strip unnecessary files
 RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \
       -o /tmp/flutter.tar.xz && \
     tar xf /tmp/flutter.tar.xz -C /opt && \
@@ -37,45 +21,6 @@ RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/st
 RUN git config --global --add safe.directory /opt/flutter && \
     cd /opt/flutter && git gc --prune=all
 
-# Remove symlinks that conflict with COPY from debian stage
-RUN rm -f /usr/lib/terminfo
-
-# Copy only specific toolchain binaries (not all of /usr/bin which would overwrite Wolfi's core utils)
-COPY --from=deps-stage /usr/bin/cmake /usr/bin/cmake
-COPY --from=deps-stage /usr/bin/ninja /usr/bin/ninja
-COPY --from=deps-stage /usr/bin/pkg-config /usr/bin/pkg-config
-COPY --from=deps-stage /usr/bin/clang-14 /usr/bin/clang-14
-RUN ln -sf clang-14 /usr/bin/clang && ln -sf clang-14 /usr/bin/clang++
-
-# Copy libraries from debian stage (specific subdirectories to avoid overwriting Wolfi's core libs)
-COPY --from=deps-stage /usr/lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu
-COPY --from=deps-stage /usr/lib/llvm-14 /usr/lib/llvm-14
-COPY --from=deps-stage /usr/lib/cmake /usr/lib/cmake
-COPY --from=deps-stage /usr/lib/gcc /usr/lib/gcc
-COPY --from=deps-stage /usr/include /usr/include
-COPY --from=deps-stage /usr/share/cmake-3.25 /usr/share/cmake-3.25
-COPY --from=deps-stage /usr/share/pkgconfig /usr/share/pkgconfig
-COPY --from=deps-stage /lib/x86_64-linux-gnu /lib/x86_64-linux-gnu
-
-# Remove Debian's glibc/ld files that conflict with Wolfi's newer glibc,
-# then register the Debian library paths and rebuild the linker cache
-RUN rm -f /usr/lib/x86_64-linux-gnu/libc.so* /usr/lib/x86_64-linux-gnu/libm.so* \
-         /usr/lib/x86_64-linux-gnu/libpthread* /usr/lib/x86_64-linux-gnu/libdl.so* \
-         /usr/lib/x86_64-linux-gnu/librt.so* /usr/lib/x86_64-linux-gnu/libresolv* \
-         /usr/lib/x86_64-linux-gnu/libmvec* /usr/lib/x86_64-linux-gnu/libnss_* \
-         /usr/lib/x86_64-linux-gnu/ld-linux* /usr/lib/x86_64-linux-gnu/crt*.o \
-         /usr/lib/x86_64-linux-gnu/libpcre2-8.so* \
-         /lib/x86_64-linux-gnu/libc.so* /lib/x86_64-linux-gnu/libc-* \
-         /lib/x86_64-linux-gnu/libm.so* /lib/x86_64-linux-gnu/libm-* \
-         /lib/x86_64-linux-gnu/libpthread* /lib/x86_64-linux-gnu/libdl.so* \
-         /lib/x86_64-linux-gnu/librt.so* /lib/x86_64-linux-gnu/libresolv* \
-         /lib/x86_64-linux-gnu/libmvec* /lib/x86_64-linux-gnu/libnss_* \
-         /lib/x86_64-linux-gnu/ld-linux* \
-         /lib/x86_64-linux-gnu/libpcre2-8.so* && \
-    echo "/usr/lib/x86_64-linux-gnu" > /etc/ld.so.conf.d/debian-x86_64.conf && \
-    echo "/lib/x86_64-linux-gnu" >> /etc/ld.so.conf.d/debian-x86_64.conf && \
-    ldconfig
-
 # Fix ownership before switching to flutter user
 RUN chown -R 65532:65532 /opt/flutter