Provide official image that includes the Static Linux SDK

[Cyberbeni]

Not having an official image that already includes the static SDK increases the chance that some bad actor creates an image that initially just installs the static SDK on top of the official swift image but later adds malicious code once people are using it. A lot of people don't review changes to their dependencies even if they reviewed them initially when adding them.

[finestructure]

I was about to open an issue regarding SDK images when I came across this issue here. I recently raised during an SSWG meeting that ready-made SDK images would be useful to us and I was advised to open an issue here for discussion.

Please let me know if I should rather split this out into its separate issue as it's about more than static linux SDKs.

To give a bit of background, we recently added Wasm and Android compatibility testing to the Swift Package Index.

We run these compatibility checks via cross-compilation. For example

swift build --swift-sdk aarch64-unknown-linux-android28

We run the builds via docker and prepare the SDKs for the builds via our spi-images project, resulting in images like

• registry.gitlab.com/finestructure/spi-images:wasm-6.2-latest
• registry.gitlab.com/finestructure/spi-images:android-6.2-latest

for example.

While our first stab at this for 6.1 was not overly complicated, preparing the 6.2 images (which are based on nightly toolchains for the time being) required more complex changes. In particular, it required special casing of 6.1 and 6.2 image building.

The complexity is due to having to match an SDK snapshot to a particular nightly toolchain, plus some extra fiddly bits to include other dependencies.

Having done the work, I was wondering if there's any interest to push this SDK docker image generation "upstream" somewhere, where updates could perhaps be even automated whenever new SDKs/toolchains are built.

This would obviously help us tremendously in keeping this part of our process lean. But I suspect ready-made "swift SDK images" could be useful not just for our use-case of cross-compilation.

Is this something worth discussing/exploring?