From 6a62ce780350e22dfb25f30893c450fd0cd4054a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 31 Oct 2025 17:39:57 -0400
Subject: [PATCH 1/2] build-sys: Run most parts with `--network=none`

Why? It just shows that we have put some thought into our
build system and care about reproducibility, hermetic builds etc.
And yes of course, `--network=bridge` should probably have been
required as an opt-in in Dockerfile, but oh well. It's not too
bad to sprinkle `--network=none` in some places. The biggest one
is wrapping `make`.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Dockerfile | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9f7368bde..f68332b37 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,7 +69,10 @@ COPY --from=src /src /src
 WORKDIR /src
 # See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
 # We aren't using the full recommendations there, just the simple bits.
-RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome <<EORUN
+# First we download all of our Rust dependencies
+RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
+# Then on general principle all the stuff from the Makefile runs with no network
+RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none <<EORUN
 set -xeuo pipefail
 make
 make install-all DESTDIR=/out
@@ -83,11 +86,11 @@ FROM build as units
 # A place that we're more likely to be able to set xattrs
 VOLUME /var/tmp
 ENV TMPDIR=/var/tmp
-RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make install-unit-tests
+RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome --network=none make install-unit-tests
 
 # This just does syntax checking
 FROM build as validate
-RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make validate
+RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome --network=none make validate
 
 # The final image that derives from the original base and adds the release binaries
 FROM base
@@ -110,7 +113,7 @@ EORUN
 # Create a layer that is our new binaries
 COPY --from=build /out/ /
 # We have code in the initramfs so we always need to regenerate it
-RUN <<EORUN
+RUN --network=none <<EORUN
 set -xeuo pipefail
 if test -x /usr/lib/bootc/initramfs-setup; then
    kver=$(cd /usr/lib/modules && echo *);

From 56c742043bce6fd9233a79e618d4b4bb6cbf40a0 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 31 Oct 2025 17:46:59 -0400
Subject: [PATCH 2/2] build-sys: Fix incorrect caching lines for validate rules

Well spotted Gemini Code Review!

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f68332b37..acd2498b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -86,11 +86,11 @@ FROM build as units
 # A place that we're more likely to be able to set xattrs
 VOLUME /var/tmp
 ENV TMPDIR=/var/tmp
-RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome --network=none make install-unit-tests
+RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make install-unit-tests
 
 # This just does syntax checking
 FROM build as validate
-RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome --network=none make validate
+RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make validate
 
 # The final image that derives from the original base and adds the release binaries
 FROM base