Why I want to know this:
Currently, I use apt-get source to get the source code for all packages within my Debian based docker images to comply with the GPL when I distribute the docker images.
Now there are e few docker images where I would like to use the alpine based docker image but I don't know how to get the source code used to build the packages within these docker images.
What I found out so far:
If there were an equivalent for
apt-get source for alpine linux this wouldn't be a problem (the documentation does not mention a source option for apk)
The Github page only contains the scripts and patches but not the exact source code, but then the build scripts just seem to get the source code from upstream.
They have to provide the source code somewhere since they are surely distributing some GPL licensed binaries within there docker images.
How to get (exactly) the source code used to build the packages of an alpine docker image?
Best Answer
Alpines package manager
APK
has no equivalent to thedpkg
source command (apt-get source <PACKAGE_NAME>
).To get the exact source code matching the installed packages on alpine linux you can use a combination of
apk
andalpine-sdk
commands.Steps to get the exact source code of the installed packages on alpine linux:
Get a list of all installed packages:
Install the alpine-sdk (for more information read the alpine wiki):
Clone your current alpine version from aports:
Loop over the installed packages and find the correct folder within the aports folder (beware the package version that you can get with
apk version <PACKAGE_NAME>
is equal to<PACKAGE_NAME>-<PACKAGE_BUILD_VERSION>-<PACKGAE_RELEASE_VERSION>
).Fetch the package source code (includes alpine specific patch files and config files)
(Optional) you can set a custom destination for the source files with
export SRCDEST="/path/to/my/custom/src/destination"
otherwise a src folder within the current package folder will be createdWithin the folder matching the package name (e.g.
aports/main/git
for thegit
package) runabuild -F fetch verify
as root orabuild fetch verify
as a normal user (this will fetch the source files referenced in theAPKBUILD
script)Packages that contain GPL licensed code: To comply with the
GPL
you have to provide the fetched source files and theAPKBUILD
script itself. You also have to provide the source files andAPKBUILD
script for packages listed in themakedepends
variable of theAPKBUILD
script (most of the time these packages e.g.openssl-dev
are sub-packages (see point 6) of the runtime dependencies e.g.openssl
) see this question aboutGPL
and build dependencies.Not every package has its own folder within aports, because sometimes a package listed by
apk info
will be a sub package of another package.In this case you have to fetch the source code for the package referenced in the origin variable within the
.PKGINFO
file which you can obtain by using theapk fetch <sub-packagename>
command.