Source
FROM scratch AS build
ARG VERSION
COPY --from=stagex/bootstrap-stage3 . /
ADD fetch/musl-${VERSION}.tar.gz .
WORKDIR /musl-${VERSION}
ADD *.patch .
RUN --network=none <<-EOF
set -eux
ARCH=$(uname -m)
CFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security"
CXXFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security -D_GLIBCXX_ASSERTIONS=1 -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS=1 -D_LIBCPP_ENABLE_HARDENED_MODE=1"
LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-${ARCH}.so.1"
patch -p1 < CVE-2025-26519.patch
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--localstatedir=/var \
--enable-debug
make -j "$(nproc)"
make DESTDIR=/rootfs install
mkdir -p /rootfs/usr/bin /rootfs/usr/lib
rm -rf /rootfs/lib
ln -sf /usr/lib/ld-musl-${ARCH}.so.1 /rootfs/usr/bin/ldd
mv -f /rootfs/usr/lib/libc.so /rootfs/usr/lib/ld-musl-${ARCH}.so.1
ln -sf ld-musl-${ARCH}.so.1 /rootfs/usr/lib/libc.musl-${ARCH}.so.1
ln -sf /usr/lib/ld-musl-${ARCH}.so.1 /rootfs/usr/lib/libc.so
EOF
FROM stagex/core-filesystem AS package
COPY --from=build /rootfs/ /