From 93c143675cbf287132cfcd54d6e91eaa55d20db2 Mon Sep 17 00:00:00 2001
From: Jamie Hewland <jhewland@gmail.com>
Date: Tue, 10 Jul 2018 22:26:58 +0200
Subject: [PATCH 1/2] alpine: Don't install ca-certificates on Alpine 3.7+

* CA certs come bundled on Alpine 3.7+
* On Alpine 3.6, rather install libressl which also include CA certs,
  allows us to use wget, and doesn't increase the size over
  ca-certificates
---
 2.7/alpine3.6/Dockerfile           | 11 ++---------
 2.7/alpine3.7/Dockerfile           | 11 ++---------
 2.7/alpine3.8/Dockerfile           | 11 ++---------
 3.4/alpine3.7/Dockerfile           | 11 ++---------
 3.4/alpine3.8/Dockerfile           | 11 ++---------
 3.5/alpine3.7/Dockerfile           | 11 ++---------
 3.5/alpine3.8/Dockerfile           | 11 ++---------
 3.6/alpine3.6/Dockerfile           | 11 ++---------
 3.6/alpine3.7/Dockerfile           | 11 ++---------
 3.6/alpine3.8/Dockerfile           | 11 ++---------
 3.7/alpine3.7/Dockerfile           | 11 ++---------
 3.7/alpine3.8/Dockerfile           | 11 ++---------
 Dockerfile-alpine.template         | 11 ++---------
 Dockerfile-caveman-alpine.template | 11 ++---------
 update.sh                          |  7 ++++++-
 15 files changed, 34 insertions(+), 127 deletions(-)

diff --git a/2.7/alpine3.6/Dockerfile b/2.7/alpine3.6/Dockerfile
index 290833b62..aad4f8abc 100644
--- a/2.7/alpine3.6/Dockerfile
+++ b/2.7/alpine3.6/Dockerfile
@@ -15,9 +15,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+RUN apk add --no-cache libressl
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
@@ -25,7 +24,6 @@ ENV PYTHON_VERSION 2.7.15
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gcc \
 		gdbm-dev \
 		libc-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -96,13 +93,9 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/2.7/alpine3.7/Dockerfile b/2.7/alpine3.7/Dockerfile
index a2379cff1..cf182abcd 100644
--- a/2.7/alpine3.7/Dockerfile
+++ b/2.7/alpine3.7/Dockerfile
@@ -15,9 +15,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
@@ -25,7 +24,6 @@ ENV PYTHON_VERSION 2.7.15
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -98,13 +95,9 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/2.7/alpine3.8/Dockerfile b/2.7/alpine3.8/Dockerfile
index a2d9f31b3..c90f6ab8b 100644
--- a/2.7/alpine3.8/Dockerfile
+++ b/2.7/alpine3.8/Dockerfile
@@ -15,9 +15,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
@@ -25,7 +24,6 @@ ENV PYTHON_VERSION 2.7.15
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -98,13 +95,9 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.4/alpine3.7/Dockerfile b/3.4/alpine3.7/Dockerfile
index e5fdc190e..1a21623c5 100644
--- a/3.4/alpine3.7/Dockerfile
+++ b/3.4/alpine3.7/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.4.8
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.4.8
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.4/alpine3.8/Dockerfile b/3.4/alpine3.8/Dockerfile
index 42f613c65..7bc22d33f 100644
--- a/3.4/alpine3.8/Dockerfile
+++ b/3.4/alpine3.8/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.4.8
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.4.8
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.5/alpine3.7/Dockerfile b/3.5/alpine3.7/Dockerfile
index 77879ecf0..2503d2c9b 100644
--- a/3.5/alpine3.7/Dockerfile
+++ b/3.5/alpine3.7/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.5.5
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.5.5
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.5/alpine3.8/Dockerfile b/3.5/alpine3.8/Dockerfile
index 0eeda4f1f..338f15981 100644
--- a/3.5/alpine3.8/Dockerfile
+++ b/3.5/alpine3.8/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.5.5
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.5.5
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		openssl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		openssl \
 		openssl-dev \
 		linux-headers \
 		make \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps openssl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.6/alpine3.6/Dockerfile b/3.6/alpine3.6/Dockerfile
index cf4a1cd66..9c0a3e990 100644
--- a/3.6/alpine3.6/Dockerfile
+++ b/3.6/alpine3.6/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -48,7 +46,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.6/alpine3.7/Dockerfile b/3.6/alpine3.7/Dockerfile
index 6af00750a..7b1221227 100644
--- a/3.6/alpine3.7/Dockerfile
+++ b/3.6/alpine3.7/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -109,13 +106,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.6/alpine3.8/Dockerfile b/3.6/alpine3.8/Dockerfile
index 89b97ccbb..073d33da8 100644
--- a/3.6/alpine3.8/Dockerfile
+++ b/3.6/alpine3.8/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -109,13 +106,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.7/alpine3.7/Dockerfile b/3.7/alpine3.7/Dockerfile
index 4e24dc545..6f504739c 100644
--- a/3.7/alpine3.7/Dockerfile
+++ b/3.7/alpine3.7/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.0
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.7.0
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		openssl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		openssl \
 		openssl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -109,13 +106,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps openssl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/3.7/alpine3.8/Dockerfile b/3.7/alpine3.8/Dockerfile
index 6b9fe4698..a028f27b3 100644
--- a/3.7/alpine3.8/Dockerfile
+++ b/3.7/alpine3.8/Dockerfile
@@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.0
@@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.7.0
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -49,7 +47,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -109,13 +106,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 8e9400c9f..7557434ce 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -7,9 +7,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY %%PLACEHOLDER%%
 ENV PYTHON_VERSION %%PLACEHOLDER%%
@@ -17,7 +16,6 @@ ENV PYTHON_VERSION %%PLACEHOLDER%%
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -43,7 +41,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -103,13 +100,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION %%PLACEHOLDER%%
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/Dockerfile-caveman-alpine.template b/Dockerfile-caveman-alpine.template
index ef9107741..cec5f0d13 100644
--- a/Dockerfile-caveman-alpine.template
+++ b/Dockerfile-caveman-alpine.template
@@ -9,9 +9,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY %%PLACEHOLDER%%
 ENV PYTHON_VERSION %%PLACEHOLDER%%
@@ -19,7 +18,6 @@ ENV PYTHON_VERSION %%PLACEHOLDER%%
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -43,7 +41,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -92,13 +89,9 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION %%PLACEHOLDER%%
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \
diff --git a/update.sh b/update.sh
index de7ca42fb..1d1804ba3 100755
--- a/update.sh
+++ b/update.sh
@@ -153,11 +153,16 @@ for version in "${versions[@]}"; do
 		esac
 
 		case "$version/$v" in
+			# On Alpine 3.6 it's necessary to install libressl to get working HTTPS.
+			# Later Alpine versions have CA certificates pre-installed.
+			*/alpine3.6)
+				sed -ri -e '/^# .* libressl$/s/^# //' "$dir/Dockerfile"
+				;;& # (other patches needed for Alpine 3.6 in later blocks)
 			# https://bugs.python.org/issue32598 (Python 3.7.0b1+)
 			# TL;DR: Python 3.7+ uses OpenSSL functionality which LibreSSL 2.6.x in Alpine 3.7 doesn't implement
 			# Python 3.5 on Alpine 3.8 needs OpenSSL too
 			3.7*/alpine3.7 | 3.5*/alpine3.8)
-				sed -ri -e 's/libressl/openssl/g' "$dir/Dockerfile"
+				sed -ri -e 's/libressl-dev/openssl-dev/g' "$dir/Dockerfile"
 				;;& # (3.5*/alpine* needs to match the next block too)
 			# Libraries to build the nis module only available in Alpine 3.7+.
 			# Also require this patch https://bugs.python.org/issue32521 only available in Python 2.7, 3.6+.

From cc8d2323a87f82ab67a982ee00eca1a3a463d18e Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Wed, 25 Jul 2018 11:07:03 -0700
Subject: [PATCH 2/2] Adjust implementation for smaller diff from existing
 (keeping "ca-certificates" installed and removing "libressl" after
 downloading)

---
 2.7/alpine3.6/Dockerfile           |  8 ++++++--
 2.7/alpine3.7/Dockerfile           |  3 ---
 2.7/alpine3.8/Dockerfile           |  3 ---
 3.4/alpine3.7/Dockerfile           |  3 ---
 3.4/alpine3.8/Dockerfile           |  3 ---
 3.5/alpine3.7/Dockerfile           |  3 ---
 3.5/alpine3.8/Dockerfile           |  3 ---
 3.6/alpine3.6/Dockerfile           |  8 ++++++--
 3.6/alpine3.7/Dockerfile           |  3 ---
 3.6/alpine3.8/Dockerfile           |  3 ---
 3.7/alpine3.7/Dockerfile           |  3 ---
 3.7/alpine3.8/Dockerfile           |  3 ---
 Dockerfile-alpine.template         |  8 ++++++--
 Dockerfile-caveman-alpine.template |  8 ++++++--
 update.sh                          | 15 ++++++++++-----
 15 files changed, 34 insertions(+), 43 deletions(-)

diff --git a/2.7/alpine3.6/Dockerfile b/2.7/alpine3.6/Dockerfile
index aad4f8abc..a1b991e42 100644
--- a/2.7/alpine3.6/Dockerfile
+++ b/2.7/alpine3.6/Dockerfile
@@ -15,8 +15,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-RUN apk add --no-cache libressl
+# install ca-certificates so that HTTPS works consistently (other runtime dependencies for Python are installed later); only needed on Alpine 3.6 (3.7+ includes these in the base)
+RUN apk add --no-cache ca-certificates
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
@@ -24,6 +24,7 @@ ENV PYTHON_VERSION 2.7.15
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
+		libressl \
 		tar \
 		xz \
 	\
@@ -46,6 +47,7 @@ RUN set -ex \
 		gcc \
 		gdbm-dev \
 		libc-dev \
+		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -93,6 +95,8 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
+	\
+	apk add --no-cache --virtual .fetch-deps libressl; trap 'apk del .fetch-deps' EXIT; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
diff --git a/2.7/alpine3.7/Dockerfile b/2.7/alpine3.7/Dockerfile
index cf182abcd..b4517f0b2 100644
--- a/2.7/alpine3.7/Dockerfile
+++ b/2.7/alpine3.7/Dockerfile
@@ -15,9 +15,6 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
 
diff --git a/2.7/alpine3.8/Dockerfile b/2.7/alpine3.8/Dockerfile
index c90f6ab8b..98344875a 100644
--- a/2.7/alpine3.8/Dockerfile
+++ b/2.7/alpine3.8/Dockerfile
@@ -15,9 +15,6 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15
 
diff --git a/3.4/alpine3.7/Dockerfile b/3.4/alpine3.7/Dockerfile
index 1a21623c5..858ce8980 100644
--- a/3.4/alpine3.7/Dockerfile
+++ b/3.4/alpine3.7/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.4.8
 
diff --git a/3.4/alpine3.8/Dockerfile b/3.4/alpine3.8/Dockerfile
index 7bc22d33f..4fcdd4a4b 100644
--- a/3.4/alpine3.8/Dockerfile
+++ b/3.4/alpine3.8/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.4.8
 
diff --git a/3.5/alpine3.7/Dockerfile b/3.5/alpine3.7/Dockerfile
index 2503d2c9b..cf0b62c1f 100644
--- a/3.5/alpine3.7/Dockerfile
+++ b/3.5/alpine3.7/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.5.5
 
diff --git a/3.5/alpine3.8/Dockerfile b/3.5/alpine3.8/Dockerfile
index 338f15981..088071042 100644
--- a/3.5/alpine3.8/Dockerfile
+++ b/3.5/alpine3.8/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.5.5
 
diff --git a/3.6/alpine3.6/Dockerfile b/3.6/alpine3.6/Dockerfile
index 9c0a3e990..bceec9d46 100644
--- a/3.6/alpine3.6/Dockerfile
+++ b/3.6/alpine3.6/Dockerfile
@@ -13,8 +13,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-RUN apk add --no-cache libressl
+# install ca-certificates so that HTTPS works consistently (other runtime dependencies for Python are installed later); only needed on Alpine 3.6 (3.7+ includes these in the base)
+RUN apk add --no-cache ca-certificates
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
@@ -22,6 +22,7 @@ ENV PYTHON_VERSION 3.6.6
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
+		libressl \
 		tar \
 		xz \
 	\
@@ -46,6 +47,7 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
+		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -104,6 +106,8 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 18.0
 
 RUN set -ex; \
+	\
+	apk add --no-cache --virtual .fetch-deps libressl; trap 'apk del .fetch-deps' EXIT; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
diff --git a/3.6/alpine3.7/Dockerfile b/3.6/alpine3.7/Dockerfile
index 7b1221227..a3d433ce6 100644
--- a/3.6/alpine3.7/Dockerfile
+++ b/3.6/alpine3.7/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
 
diff --git a/3.6/alpine3.8/Dockerfile b/3.6/alpine3.8/Dockerfile
index 073d33da8..b2e81be6d 100644
--- a/3.6/alpine3.8/Dockerfile
+++ b/3.6/alpine3.8/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
 
diff --git a/3.7/alpine3.7/Dockerfile b/3.7/alpine3.7/Dockerfile
index 6f504739c..83371a0b6 100644
--- a/3.7/alpine3.7/Dockerfile
+++ b/3.7/alpine3.7/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.0
 
diff --git a/3.7/alpine3.8/Dockerfile b/3.7/alpine3.8/Dockerfile
index a028f27b3..26aaacb07 100644
--- a/3.7/alpine3.8/Dockerfile
+++ b/3.7/alpine3.8/Dockerfile
@@ -13,9 +13,6 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
-
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.0
 
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 7557434ce..43c2df0d8 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -7,8 +7,8 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
+# install ca-certificates so that HTTPS works consistently (other runtime dependencies for Python are installed later); only needed on Alpine 3.6 (3.7+ includes these in the base)
+RUN apk add --no-cache ca-certificates
 
 ENV GPG_KEY %%PLACEHOLDER%%
 ENV PYTHON_VERSION %%PLACEHOLDER%%
@@ -16,6 +16,7 @@ ENV PYTHON_VERSION %%PLACEHOLDER%%
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
+		libressl \
 		tar \
 		xz \
 	\
@@ -41,6 +42,7 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
+		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -100,6 +102,8 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION %%PLACEHOLDER%%
 
 RUN set -ex; \
+	\
+	apk add --no-cache --virtual .fetch-deps libressl; trap 'apk del .fetch-deps' EXIT; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
diff --git a/Dockerfile-caveman-alpine.template b/Dockerfile-caveman-alpine.template
index cec5f0d13..3ca746fe6 100644
--- a/Dockerfile-caveman-alpine.template
+++ b/Dockerfile-caveman-alpine.template
@@ -9,8 +9,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install libressl so that HTTPS works on Alpine <3.7
-# RUN apk add --no-cache libressl
+# install ca-certificates so that HTTPS works consistently (other runtime dependencies for Python are installed later); only needed on Alpine 3.6 (3.7+ includes these in the base)
+RUN apk add --no-cache ca-certificates
 
 ENV GPG_KEY %%PLACEHOLDER%%
 ENV PYTHON_VERSION %%PLACEHOLDER%%
@@ -18,6 +18,7 @@ ENV PYTHON_VERSION %%PLACEHOLDER%%
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
+		libressl \
 		tar \
 		xz \
 	\
@@ -41,6 +42,7 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libnsl-dev \
+		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -89,6 +91,8 @@ RUN set -ex \
 ENV PYTHON_PIP_VERSION %%PLACEHOLDER%%
 
 RUN set -ex; \
+	\
+	apk add --no-cache --virtual .fetch-deps libressl; trap 'apk del .fetch-deps' EXIT; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
diff --git a/update.sh b/update.sh
index 1d1804ba3..3fd81c600 100755
--- a/update.sh
+++ b/update.sh
@@ -152,12 +152,17 @@ for version in "${versions[@]}"; do
 			wheezy) sed -ri -e 's/dpkg-architecture --query /dpkg-architecture -q/g' "$dir/Dockerfile" ;;
 		esac
 
+		if [[ "$v" == alpine* ]] && [ "$v" != 'alpine3.6' ]; then
+			# https://github.com/docker-library/python/pull/307
+			# on Alpine 3.6 it's necessary to install libressl to get working HTTPS with wget (and ca-certificates for Python's runtime), but later versions don't require this (support for both is baked into the base)
+			sed -ri -e '/(libressl|openssl|ca-certificates)([ ;]|$)/d' "$dir/Dockerfile"
+
+			# remove any double-empty (or double-empty-continuation) lines the above created
+			uniq "$dir/Dockerfile" > "$dir/Dockerfile.new"
+			mv "$dir/Dockerfile.new" "$dir/Dockerfile"
+		fi
+
 		case "$version/$v" in
-			# On Alpine 3.6 it's necessary to install libressl to get working HTTPS.
-			# Later Alpine versions have CA certificates pre-installed.
-			*/alpine3.6)
-				sed -ri -e '/^# .* libressl$/s/^# //' "$dir/Dockerfile"
-				;;& # (other patches needed for Alpine 3.6 in later blocks)
 			# https://bugs.python.org/issue32598 (Python 3.7.0b1+)
 			# TL;DR: Python 3.7+ uses OpenSSL functionality which LibreSSL 2.6.x in Alpine 3.7 doesn't implement
 			# Python 3.5 on Alpine 3.8 needs OpenSSL too