/usr/share/doc contains a structure that might be like
```
foo/copyright
foo/other
bar -> foo
```
In this case we want to delete `foo/other`, but leave `bar` alone.
The previous code would delete `bar` as it is not a directory.
However, the structure of `/usr/share/doc` is such that the first
level is a per-package directory (or symlink) and the directory
contains the files. We therefore want to only consider files in the
package directories, so look a level further down the tree before
deleting.
Previously we were tagging for all registries as we built
the images and then pushing all registries blindly.
Now if an image hasn't changed it wouldn't tag with the other
registry tags, and then the push would fail as the gcr/quay
tags didn't exist.
Rather than taking care to tag in the case where the image
hasn't changed, instead change the pushall script to
only assume that `bitnami/minideb` tags are correct, and
tag the other registries based on that one before pushing.
This ensures that the tags will always exist, and also makes
sure we are pushing the same image to each registry (excluding
race conditions.)
These depend on the build environment, but differences
don't show up inside the docker image as docker sets the
content of these files when starting a container.
We can put static values in the files to stop the image
layers differing without affecting the running containers
in any way.
This wasn't caught by the reproducibility check as the values
will be pretty static when built on the same host. (hostname
will be fixed, and resolv.conf will only change if the networking
configration changes enough, and that is unlikely to happen)
The builds were reproducible provided they were done on the same day.
However if they were done on different days they had different dates
in /etc/shadow and so changed. This meant that the images were
updated every day, and sometimes the reproducibility check would
fail if the day ticked over between the builds.
When this happens in travis the intermediate images
aren't pushed, so you have to rebuild locally.
The dockerdiff output may be large, but that's more useful
than having to try and reproduce locally.
Tweak the tests so that they use default-mysql-server
on newer dists as it replaced the mysql-server package.
Also add explicit import of the buster signing key
as the Travis agent doesn't have it available.
Thanks to Filippo Giunchedi (@filippog) for the initial
work on this.
* Decode key value
The docker content trust repository key is base64-encoded, so let's decode it before dumping it to a file
* decode option is `-d` in Linux
We found this issue in the travis build:
```
refusing to load key from /tmp/tmp.7IS3P9lCpg/key: private key file /tmp/tmp.7IS3P9lCpg/key must not be readable or writable by others
```
Making the file readable by the running user should fix the proble
The code tries to avoid the contents to be printed in the output in case the shell tracing is enabled at some point, but that implementation also makes the `tmpdir` variable not to be accessible in that context.
Daniel Arteaga