From 70749fcc8ff9334526f3e29581460b30efcafe37 Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Tue, 23 Jun 2026 22:46:49 -0400
Subject: [PATCH 1/2] chore(build): honor pinned toolchain, drop dead UPX
 install

The compile Dockerfiles built with 'cargo +stable', overriding the
channel = "1.93.1" pin in rust-toolchain.toml. Drop the '+stable'
override and install rustup with --default-toolchain none so
rust-toolchain.toml auto-installs and drives the toolchain, making
builds reproducible against the pinned version.

Also remove the dead UPX install from Dockerfile.build_layer: the
binary ships uncompressed, so nothing invokes upx anymore.
---
 images/Dockerfile.bottlecap.alpine.compile |  4 ++--
 images/Dockerfile.bottlecap.compile        |  4 ++--
 images/Dockerfile.build_layer              | 13 -------------
 3 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/images/Dockerfile.bottlecap.alpine.compile b/images/Dockerfile.bottlecap.alpine.compile
index 9858c5662..290cc4c08 100644
--- a/images/Dockerfile.bottlecap.alpine.compile
+++ b/images/Dockerfile.bottlecap.alpine.compile
@@ -17,7 +17,7 @@ RUN set -euo pipefail && \
     curl https://sh.rustup.rs -sSf | \
         sh -s -- --profile minimal \
                  --default-host "${PLATFORM}-unknown-linux-musl" \
-                 --default-toolchain "stable-${PLATFORM}-unknown-linux-musl" \
+                 --default-toolchain none \
                  --component rust-src \
                  -y
 ENV PATH="${PATH}:/root/.cargo/bin"
@@ -47,7 +47,7 @@ RUN --mount=type=cache,target=/root/.cargo/git \
     # -Ctarget-feature=-crt-static so that it is capable of dynamically loading
     # libclang; while still building bottlecap with a static CRT.
     RUSTC_WRAPPER=/tmp/dd/.cargo/musl.rustc-wrapper \
-    cargo +stable build --verbose --locked --no-default-features \
+    cargo build --verbose --locked --no-default-features \
         --features="${FEATURES}" \
         --profile="${PROFILE:-release}" && \
     mkdir -p /tmp/out && \
diff --git a/images/Dockerfile.bottlecap.compile b/images/Dockerfile.bottlecap.compile
index 12a23f64b..e8ee90d99 100644
--- a/images/Dockerfile.bottlecap.compile
+++ b/images/Dockerfile.bottlecap.compile
@@ -16,7 +16,7 @@ RUN chmod +x /install-protoc.sh && /install-protoc.sh
 RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- --profile minimal \
              --default-host "${PLATFORM}-unknown-linux-gnu" \
-             --default-toolchain "stable-${PLATFORM}-unknown-linux-gnu" \
+             --default-toolchain none \
              --component rust-src \
              -y
 ENV PATH="${PATH}:/root/.cargo/bin"
@@ -46,7 +46,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/git \
     # The `libddwaf` crate links against static objects that require `libclang_rt.builtins`, but
     # this is not presented to the linker by default on this platform, so we force it in.
     export RUSTFLAGS="${RUSTFLAGS:-} -Clinker=clang -L$(dirname $(clang --print-file-name="libclang_rt.builtins-$(uname -m).a")) -lclang_rt.builtins-$(uname -m)"; \
-    cargo +stable build --verbose --locked --no-default-features --features="${FEATURES}" ${BUILD_FLAG} && \
+    cargo build --verbose --locked --no-default-features --features="${FEATURES}" ${BUILD_FLAG} && \
     mkdir -p /tmp/out && cp "/tmp/dd/bottlecap/target/${BUILD_MODE}/bottlecap" /tmp/out/bottlecap
 
 # Use smallest image possible
diff --git a/images/Dockerfile.build_layer b/images/Dockerfile.build_layer
index c931f7ddf..e08e6616d 100644
--- a/images/Dockerfile.build_layer
+++ b/images/Dockerfile.build_layer
@@ -5,19 +5,6 @@ ARG FILE_SUFFIX
 # Install dependencies
 RUN apt-get update && apt-get install -y zip binutils wget tar xz-utils
 
-# UPX installation directly from GitHub
-ENV UPX_VERSION=5.0.0
-RUN ARCH=$(uname -m) && \
-    if [ "$ARCH" = "x86_64" ]; then \
-        ARCH_NAME="amd64"; \
-    elif [ "$ARCH" = "aarch64" ]; then \
-        ARCH_NAME="arm64"; \
-    fi && \
-    wget https://github.com/upx/upx/releases/download/v${UPX_VERSION}/upx-${UPX_VERSION}-${ARCH_NAME}_linux.tar.xz && \
-    tar -xf upx-${UPX_VERSION}-${ARCH_NAME}_linux.tar.xz && \
-    mv upx-${UPX_VERSION}-${ARCH_NAME}_linux/upx /usr/local/bin/ && \
-    rm -rf upx-${UPX_VERSION}-${ARCH_NAME}_linux upx-${UPX_VERSION}-${ARCH_NAME}_linux.tar.xz
-
 RUN mkdir /extensions
 WORKDIR /extensions
 

From ee1bd399bfd899fd125f7a701e1aed80bfdb9b66 Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Wed, 24 Jun 2026 00:23:48 -0400
Subject: [PATCH 2/2] chore(build): drop inert --component rust-src flag

With --default-toolchain none, rust-src had nothing to attach to; the toml-pinned toolchain installs only rustfmt/clippy and nothing consumes rust-src.
---
 images/Dockerfile.bottlecap.alpine.compile | 1 -
 images/Dockerfile.bottlecap.compile        | 1 -
 2 files changed, 2 deletions(-)

diff --git a/images/Dockerfile.bottlecap.alpine.compile b/images/Dockerfile.bottlecap.alpine.compile
index 290cc4c08..a460e3406 100644
--- a/images/Dockerfile.bottlecap.alpine.compile
+++ b/images/Dockerfile.bottlecap.alpine.compile
@@ -18,7 +18,6 @@ RUN set -euo pipefail && \
         sh -s -- --profile minimal \
                  --default-host "${PLATFORM}-unknown-linux-musl" \
                  --default-toolchain none \
-                 --component rust-src \
                  -y
 ENV PATH="${PATH}:/root/.cargo/bin"
 
diff --git a/images/Dockerfile.bottlecap.compile b/images/Dockerfile.bottlecap.compile
index e8ee90d99..1e021aeb4 100644
--- a/images/Dockerfile.bottlecap.compile
+++ b/images/Dockerfile.bottlecap.compile
@@ -17,7 +17,6 @@ RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- --profile minimal \
              --default-host "${PLATFORM}-unknown-linux-gnu" \
              --default-toolchain none \
-             --component rust-src \
              -y
 ENV PATH="${PATH}:/root/.cargo/bin"