Linux – How to get the source code used to build the packages of the base alpine linux docker image

alpine-linuxaptdocker

Why I want to know this:

Currently, I use apt-get source to get the source code for all packages within my Debian based docker images to comply with the GPL when I distribute the docker images.

Now there are e few docker images where I would like to use the alpine based docker image but I don't know how to get the source code used to build the packages within these docker images.

What I found out so far:

If there were an equivalent for
apt-get source for alpine linux this wouldn't be a problem (the documentation does not mention a source option for apk)

The Github page only contains the scripts and patches but not the exact source code, but then the build scripts just seem to get the source code from upstream.

They have to provide the source code somewhere since they are surely distributing some GPL licensed binaries within there docker images.

How to get (exactly) the source code used to build the packages of an alpine docker image?

Best Answer

Alpines package manager APK has no equivalent to the dpkg source command (apt-get source <PACKAGE_NAME>).

To get the exact source code matching the installed packages on alpine linux you can use a combination of apk and alpine-sdk commands.

Steps to get the exact source code of the installed packages on alpine linux:

  1. Get a list of all installed packages:

    apk info

  2. Install the alpine-sdk (for more information read the alpine wiki):

    apk --update add alpine-sdk

  3. Clone your current alpine version from aports:

    git clone --depth 1 --branch v3.13.1 git://git.alpinelinux.org/aports

  4. Loop over the installed packages and find the correct folder within the aports folder (beware the package version that you can get with apk version <PACKAGE_NAME> is equal to <PACKAGE_NAME>-<PACKAGE_BUILD_VERSION>-<PACKGAE_RELEASE_VERSION>).

  5. Fetch the package source code (includes alpine specific patch files and config files)

    1. (Optional) you can set a custom destination for the source files with export SRCDEST="/path/to/my/custom/src/destination" otherwise a src folder within the current package folder will be created

    2. Within the folder matching the package name (e.g. aports/main/git for the git package) run abuild -F fetch verify as root or abuild fetch verify as a normal user (this will fetch the source files referenced in the APKBUILD script)

    3. Packages that contain GPL licensed code: To comply with the GPL you have to provide the fetched source files and the APKBUILD script itself. You also have to provide the source files and APKBUILD script for packages listed in the makedepends variable of the APKBUILD script (most of the time these packages e.g. openssl-dev are sub-packages (see point 6) of the runtime dependencies e.g. openssl) see this question about GPL and build dependencies.

  6. Not every package has its own folder within aports, because sometimes a package listed by apk info will be a sub package of another package.

    In this case you have to fetch the source code for the package referenced in the origin variable within the .PKGINFO file which you can obtain by using the apk fetch <sub-packagename> command.

Related Question