From 6f7aa47897c89e11ca30ef872a76f3a71dcc735a Mon Sep 17 00:00:00 2001
From: Olivier Grisel <olivier.grisel@ensta.org>
Date: Sat, 2 Apr 2016 23:58:04 +0200
Subject: [PATCH 1/4] Use patchelf 0.9 + Nathaniel's fixes

---
 docker/build_scripts/build.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/build_scripts/build.sh b/docker/build_scripts/build.sh
index b3e2aec10..57dbcfc13 100644
--- a/docker/build_scripts/build.sh
+++ b/docker/build_scripts/build.sh
@@ -48,11 +48,11 @@ mkdir -p /opt/python
 build_cpythons $CPYTHON_VERSIONS
 rm -rf /usr/local/ssl
 
-# Install patchelf and auditwheel (latest)
-curl -sLO http://nixos.org/releases/patchelf/patchelf-0.9/patchelf-0.9.tar.gz
-tar -xzf patchelf-0.9.tar.gz
-(cd patchelf-0.9 && ./configure && make && make install)
-rm -rf patchelf-0.9.tar.gz patchelf-0.9
+# Install patchelf and auditwheel (latest with unreleased bug fixes)
+curl -sLO http://nipy.bic.berkeley.edu/manylinux/patchelf-0.9njs2.tar.gz
+tar -xzf patchelf-0.9njs2.tar.gz
+(cd patchelf-0.9njs2 && ./configure && make && make install)
+rm -rf patchelf-0.9njs2.tar.gz patchelf-0.9njs2
 
 PY35_BIN=/opt/python/cp35-cp35m/bin
 $PY35_BIN/pip install auditwheel

From 8c21e9d5394f200c218a173ca79bc9fb5f6fbd15 Mon Sep 17 00:00:00 2001
From: Olivier Grisel <olivier.grisel@ensta.org>
Date: Sun, 3 Apr 2016 10:58:00 +0200
Subject: [PATCH 2/4] Use HTTPS to download patchelf-0.9njs2.tar.gz

---
 docker/build_scripts/build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/build_scripts/build.sh b/docker/build_scripts/build.sh
index 57dbcfc13..69088ccff 100644
--- a/docker/build_scripts/build.sh
+++ b/docker/build_scripts/build.sh
@@ -49,7 +49,7 @@ build_cpythons $CPYTHON_VERSIONS
 rm -rf /usr/local/ssl
 
 # Install patchelf and auditwheel (latest with unreleased bug fixes)
-curl -sLO http://nipy.bic.berkeley.edu/manylinux/patchelf-0.9njs2.tar.gz
+curl -sLO https://nipy.bic.berkeley.edu/manylinux/patchelf-0.9njs2.tar.gz
 tar -xzf patchelf-0.9njs2.tar.gz
 (cd patchelf-0.9njs2 && ./configure && make && make install)
 rm -rf patchelf-0.9njs2.tar.gz patchelf-0.9njs2

From eb02f2bc7ba6011690f4f8df592149260b47d926 Mon Sep 17 00:00:00 2001
From: Olivier Grisel <olivier.grisel@ensta.org>
Date: Sun, 3 Apr 2016 12:59:40 +0200
Subject: [PATCH 3/4] Check sha256 digests of downloaded components

---
 docker/build_scripts/build.sh       | 10 +++++++++-
 docker/build_scripts/build_utils.sh | 17 ++++++++++++++---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/docker/build_scripts/build.sh b/docker/build_scripts/build.sh
index 69088ccff..5ca973032 100644
--- a/docker/build_scripts/build.sh
+++ b/docker/build_scripts/build.sh
@@ -11,6 +11,9 @@ CPYTHON_VERSIONS="2.6.9 2.7.11 3.3.6 3.4.4 3.5.1"
 # archive
 OPENSSL_ROOT=openssl-1.0.2g
 OPENSSL_HASH=b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33
+EPEL_RPM_HASH=0dcc89f9bf67a2a515bad64569b7a9615edc5e018f676a578d5fd0f17d3c81d4
+DEVTOOLS_HASH=a8ebeb4bed624700f727179e6ef771dafe47651131a00a78b342251415646acc
+PATCHELF_HASH=d9afdff4baeacfbc64861454f368b7f2c15c44d245293f7587bbf726bfe722fb
 
 # Dependencies for compiling Python that we want to remove from
 # the final image after compiling Python
@@ -26,8 +29,12 @@ source $MY_DIR/build_utils.sh
 # EPEL support
 yum -y install wget curl
 curl -sLO https://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
+check_sha256sum epel-release-5-4.noarch.rpm $EPEL_RPM_HASH
+
 # Dev toolset (for LLVM and other projects requiring C++11 support)
-curl -sL http://people.centos.org/tru/devtools-2/devtools-2.repo > /etc/yum.repos.d/devtools-2.repo
+curl -sLO http://people.centos.org/tru/devtools-2/devtools-2.repo
+check_sha256sum devtools-2.repo $DEVTOOLS_HASH
+mv devtools-2.repo /etc/yum.repos.d/devtools-2.repo
 rpm -Uvh --replacepkgs epel-release-5*.rpm
 rm -f epel-release-5*.rpm
 
@@ -50,6 +57,7 @@ rm -rf /usr/local/ssl
 
 # Install patchelf and auditwheel (latest with unreleased bug fixes)
 curl -sLO https://nipy.bic.berkeley.edu/manylinux/patchelf-0.9njs2.tar.gz
+check_sha256sum patchelf-0.9njs2.tar.gz $PATCHELF_HASH
 tar -xzf patchelf-0.9njs2.tar.gz
 (cd patchelf-0.9njs2 && ./configure && make && make install)
 rm -rf patchelf-0.9njs2.tar.gz patchelf-0.9njs2
diff --git a/docker/build_scripts/build_utils.sh b/docker/build_scripts/build_utils.sh
index d671fa2d5..ed588f6b7 100755
--- a/docker/build_scripts/build_utils.sh
+++ b/docker/build_scripts/build_utils.sh
@@ -89,16 +89,27 @@ function do_openssl_build {
 }
 
 
+function check_sha256sum {
+    local fname=$1
+    check_var $fname
+    local sha256=$2
+    check_var $sha256
+
+    echo "${sha256}  ${fname}" > ${fname}.sha256
+    sha256sum -c ${fname}.sha256
+    rm ${fname}.sha256
+}
+
+
 function build_openssl {
     local openssl_fname=$1
     check_var $openssl_fname
     local openssl_sha256=$2
     check_var $openssl_sha256
     check_var $OPENSSL_DOWNLOAD_URL
-    echo "${openssl_sha256}  ${openssl_fname}.tar.gz" > ${openssl_fname}.tar.gz.sha256
     curl -sLO $OPENSSL_DOWNLOAD_URL/${openssl_fname}.tar.gz
-    sha256sum -c ${openssl_fname}.tar.gz.sha256
+    check_sha256sum $openssl_fname.tar.gz $openssl_sha256
     tar -xzf ${openssl_fname}.tar.gz
     (cd ${openssl_fname} && do_openssl_build)
-    rm -rf ${openssl_fname} ${openssl_fname}.tar.gz ${openssl_fname}.tar.gz.sha256
+    rm -rf ${openssl_fname} ${openssl_fname}.tar.gz
 }

From 2ec823ff872d398e388df1f7e0460194383b77f1 Mon Sep 17 00:00:00 2001
From: Olivier Grisel <olivier.grisel@ensta.org>
Date: Sun, 3 Apr 2016 14:17:08 +0200
Subject: [PATCH 4/4] More consistent use of curly brackets in helper functions

---
 docker/build_scripts/build_utils.sh | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker/build_scripts/build_utils.sh b/docker/build_scripts/build_utils.sh
index ed588f6b7..c5c9f53a4 100755
--- a/docker/build_scripts/build_utils.sh
+++ b/docker/build_scripts/build_utils.sh
@@ -91,9 +91,9 @@ function do_openssl_build {
 
 function check_sha256sum {
     local fname=$1
-    check_var $fname
+    check_var ${fname}
     local sha256=$2
-    check_var $sha256
+    check_var ${sha256}
 
     echo "${sha256}  ${fname}" > ${fname}.sha256
     sha256sum -c ${fname}.sha256
@@ -103,12 +103,12 @@ function check_sha256sum {
 
 function build_openssl {
     local openssl_fname=$1
-    check_var $openssl_fname
+    check_var ${openssl_fname}
     local openssl_sha256=$2
-    check_var $openssl_sha256
-    check_var $OPENSSL_DOWNLOAD_URL
-    curl -sLO $OPENSSL_DOWNLOAD_URL/${openssl_fname}.tar.gz
-    check_sha256sum $openssl_fname.tar.gz $openssl_sha256
+    check_var ${openssl_sha256}
+    check_var ${OPENSSL_DOWNLOAD_URL}
+    curl -sLO ${OPENSSL_DOWNLOAD_URL}/${openssl_fname}.tar.gz
+    check_sha256sum ${openssl_fname}.tar.gz ${openssl_sha256}
     tar -xzf ${openssl_fname}.tar.gz
     (cd ${openssl_fname} && do_openssl_build)
     rm -rf ${openssl_fname} ${openssl_fname}.tar.gz