Context
The ClusterFuzzLite Docker build (see .clusterfuzzlite/Dockerfile) is based on gcr.io/oss-fuzz-base/base-builder-rust:v1, which is currently Ubuntu 20.04 (focal). Focal ships Python 3.8 by default and does not provide Python 3.12 in its apt repos. Our fuzzing harness requires Python 3.12 for Atheris 3.0.0.
Current Workaround (PR #453, commit e007f53c)
To unblock fuzz job execution we added the deadsnakes PPA to install Python 3.12 + python3.12-venv, then bootstrapped pip via get-pip.py (since focal's pip + --break-system-packages flag combo is fragile and Atheris install failed under PEP 668 conditions on the rust base image).
Diff summary (.clusterfuzzlite/Dockerfile):
- Add
software-properties-common
add-apt-repository -y ppa:deadsnakes/ppa + apt-get update- Install
python3.12 python3.12-venv python3.12-dev
- Bootstrap pip with
curl get-pip.py | python3.12
- Install Atheris via plain
pip install (no --break-system-packages)
This works but pulls a third-party PPA into our fuzzing build, increases image size/build time, and couples us to deadsnakes' release cadence.
Why This Is Tech Debt / Security Concern
- Supply chain: deadsnakes is a community-maintained PPA, not part of our pinned dependency surface; it bypasses our normal apt source review.
- Image age: Ubuntu 20.04 reaches standard EOL in April 2025; OSS-Fuzz base images need to track 22.04/24.04.
- Fragility: Any apt key rotation or PPA outage breaks fuzzing CI.
- Drift from upstream: We are patching what should be an upstream fix in
oss-fuzz/infra/base-images/base-builder-rust.
Upgrade Options
- Wait for upstream OSS-Fuzz to publish a 22.04/24.04
base-builder-rust tag and pin to it. Track google/oss-fuzz#11888 and similar.
- Fork or build our own
base-builder-rust from a 22.04/24.04 base with Python 3.12 + Rust toolchain preinstalled, host in our registry, pin by digest.
- Downgrade harness to focal-native Python 3.8 + an Atheris release that supports 3.8 (rejects feature parity with current code).
Recommended: Option 2 short-term, migrate to Option 1 once upstream catches up.
References
Acceptance Criteria
Context
The ClusterFuzzLite Docker build (see
.clusterfuzzlite/Dockerfile) is based ongcr.io/oss-fuzz-base/base-builder-rust:v1, which is currently Ubuntu 20.04 (focal). Focal ships Python 3.8 by default and does not provide Python 3.12 in its apt repos. Our fuzzing harness requires Python 3.12 for Atheris 3.0.0.Current Workaround (PR #453, commit
e007f53c)To unblock fuzz job execution we added the deadsnakes PPA to install Python 3.12 +
python3.12-venv, then bootstrapped pip viaget-pip.py(since focal's pip +--break-system-packagesflag combo is fragile and Atheris install failed under PEP 668 conditions on the rust base image).Diff summary (
.clusterfuzzlite/Dockerfile):software-properties-commonadd-apt-repository -y ppa:deadsnakes/ppa+apt-get updatepython3.12 python3.12-venv python3.12-devcurl get-pip.py | python3.12pip install(no--break-system-packages)This works but pulls a third-party PPA into our fuzzing build, increases image size/build time, and couples us to deadsnakes' release cadence.
Why This Is Tech Debt / Security Concern
oss-fuzz/infra/base-images/base-builder-rust.Upgrade Options
base-builder-rusttag and pin to it. Track google/oss-fuzz#11888 and similar.base-builder-rustfrom a 22.04/24.04 base with Python 3.12 + Rust toolchain preinstalled, host in our registry, pin by digest.Recommended: Option 2 short-term, migrate to Option 1 once upstream catches up.
References
e007f53c.clusterfuzzlite/DockerfileAcceptance Criteria
.clusterfuzzlite/Dockerfile