diff --git a/3.10/alpine3.16/Dockerfile b/3.10/alpine3.16/Dockerfile
index affda7969..be7f497f1 100644
--- a/3.10/alpine3.16/Dockerfile
+++ b/3.10/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.10/alpine3.17/Dockerfile b/3.10/alpine3.17/Dockerfile
index 147fc2782..2f0730120 100644
--- a/3.10/alpine3.17/Dockerfile
+++ b/3.10/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.10/bullseye/Dockerfile b/3.10/bullseye/Dockerfile
index f5503d094..63e2218a7 100644
--- a/3.10/bullseye/Dockerfile
+++ b/3.10/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D
 ENV PYTHON_VERSION 3.10.9
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.10/buster/Dockerfile b/3.10/buster/Dockerfile
index cd98ac041..7a7901e01 100644
--- a/3.10/buster/Dockerfile
+++ b/3.10/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D
 ENV PYTHON_VERSION 3.10.9
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.10/slim-bullseye/Dockerfile b/3.10/slim-bullseye/Dockerfile
index 3532cd43d..54257cead 100644
--- a/3.10/slim-bullseye/Dockerfile
+++ b/3.10/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.10/slim-buster/Dockerfile b/3.10/slim-buster/Dockerfile
index e04983659..99f998a90 100644
--- a/3.10/slim-buster/Dockerfile
+++ b/3.10/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.11/alpine3.16/Dockerfile b/3.11/alpine3.16/Dockerfile
index 9820e74c2..7e2e60947 100644
--- a/3.11/alpine3.16/Dockerfile
+++ b/3.11/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.11/alpine3.17/Dockerfile b/3.11/alpine3.17/Dockerfile
index 94206b463..f0dede51c 100644
--- a/3.11/alpine3.17/Dockerfile
+++ b/3.11/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.11/bullseye/Dockerfile b/3.11/bullseye/Dockerfile
index 84c6bbaf5..fb5f58983 100644
--- a/3.11/bullseye/Dockerfile
+++ b/3.11/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D
 ENV PYTHON_VERSION 3.11.1
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.11/buster/Dockerfile b/3.11/buster/Dockerfile
index 12a30ca05..1ff15e8b1 100644
--- a/3.11/buster/Dockerfile
+++ b/3.11/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D
 ENV PYTHON_VERSION 3.11.1
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.11/slim-bullseye/Dockerfile b/3.11/slim-bullseye/Dockerfile
index bbdbcfbb4..41ee538f5 100644
--- a/3.11/slim-bullseye/Dockerfile
+++ b/3.11/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.11/slim-buster/Dockerfile b/3.11/slim-buster/Dockerfile
index f247000b5..1ef82dce9 100644
--- a/3.11/slim-buster/Dockerfile
+++ b/3.11/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.12-rc/alpine3.16/Dockerfile b/3.12-rc/alpine3.16/Dockerfile
index 5ce62ab42..b5660f54e 100644
--- a/3.12-rc/alpine3.16/Dockerfile
+++ b/3.12-rc/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.12-rc/alpine3.17/Dockerfile b/3.12-rc/alpine3.17/Dockerfile
index 2e071ba3e..4b118add0 100644
--- a/3.12-rc/alpine3.17/Dockerfile
+++ b/3.12-rc/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -84,13 +85,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.12-rc/bullseye/Dockerfile b/3.12-rc/bullseye/Dockerfile
index c9d5c782a..272e5876e 100644
--- a/3.12-rc/bullseye/Dockerfile
+++ b/3.12-rc/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305
 ENV PYTHON_VERSION 3.12.0a4
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.12-rc/buster/Dockerfile b/3.12-rc/buster/Dockerfile
index f20a5ca13..784d7eb42 100644
--- a/3.12-rc/buster/Dockerfile
+++ b/3.12-rc/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305
 ENV PYTHON_VERSION 3.12.0a4
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -53,15 +59,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.12-rc/slim-bullseye/Dockerfile b/3.12-rc/slim-bullseye/Dockerfile
index 66801a680..c5a44c65b 100644
--- a/3.12-rc/slim-bullseye/Dockerfile
+++ b/3.12-rc/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.12-rc/slim-buster/Dockerfile b/3.12-rc/slim-buster/Dockerfile
index 5ac1c1424..8af4000eb 100644
--- a/3.12-rc/slim-buster/Dockerfile
+++ b/3.12-rc/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -78,13 +79,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.7/alpine3.16/Dockerfile b/3.7/alpine3.16/Dockerfile
index abd763836..21b4fcb5f 100644
--- a/3.7/alpine3.16/Dockerfile
+++ b/3.7/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,10 +84,7 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -126,6 +124,11 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.7/alpine3.17/Dockerfile b/3.7/alpine3.17/Dockerfile
index 07d34f588..7eef7870f 100644
--- a/3.7/alpine3.17/Dockerfile
+++ b/3.7/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,10 +84,7 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -126,6 +124,11 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.7/bullseye/Dockerfile b/3.7/bullseye/Dockerfile
index fc69647cf..a711e508c 100644
--- a/3.7/bullseye/Dockerfile
+++ b/3.7/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,10 +58,6 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -95,8 +97,12 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -114,6 +120,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.7/buster/Dockerfile b/3.7/buster/Dockerfile
index 54309bfed..ed5d625a9 100644
--- a/3.7/buster/Dockerfile
+++ b/3.7/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,10 +58,6 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -95,8 +97,12 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -114,6 +120,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.7/slim-bullseye/Dockerfile b/3.7/slim-bullseye/Dockerfile
index 02fb0028c..fc027f1c9 100644
--- a/3.7/slim-bullseye/Dockerfile
+++ b/3.7/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,10 +78,7 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -120,6 +118,11 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.7/slim-buster/Dockerfile b/3.7/slim-buster/Dockerfile
index 8069ab965..50af4aa64 100644
--- a/3.7/slim-buster/Dockerfile
+++ b/3.7/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,10 +78,7 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
 			test_array \
@@ -120,6 +118,11 @@ RUN set -eux; \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.8/alpine3.16/Dockerfile b/3.8/alpine3.16/Dockerfile
index 0aecd15b4..7651a5005 100644
--- a/3.8/alpine3.16/Dockerfile
+++ b/3.8/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,13 +84,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.8/alpine3.17/Dockerfile b/3.8/alpine3.17/Dockerfile
index a62ad1d06..d083ec87d 100644
--- a/3.8/alpine3.17/Dockerfile
+++ b/3.8/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,13 +84,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.8/bullseye/Dockerfile b/3.8/bullseye/Dockerfile
index 66c323faf..bf40a6801 100644
--- a/3.8/bullseye/Dockerfile
+++ b/3.8/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568
 ENV PYTHON_VERSION 3.8.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,15 +58,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.8/buster/Dockerfile b/3.8/buster/Dockerfile
index e60029f80..5f0306b6f 100644
--- a/3.8/buster/Dockerfile
+++ b/3.8/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568
 ENV PYTHON_VERSION 3.8.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,15 +58,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -78,6 +84,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.8/slim-bullseye/Dockerfile b/3.8/slim-bullseye/Dockerfile
index e6d9efc5f..39daf590f 100644
--- a/3.8/slim-bullseye/Dockerfile
+++ b/3.8/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,13 +78,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.8/slim-buster/Dockerfile b/3.8/slim-buster/Dockerfile
index b274c500c..6078ad846 100644
--- a/3.8/slim-buster/Dockerfile
+++ b/3.8/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,13 +78,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.9/alpine3.16/Dockerfile b/3.9/alpine3.16/Dockerfile
index 13e1ecf44..ca3f157d3 100644
--- a/3.9/alpine3.16/Dockerfile
+++ b/3.9/alpine3.16/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,13 +84,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.9/alpine3.17/Dockerfile b/3.9/alpine3.17/Dockerfile
index 56046797f..acf19e632 100644
--- a/3.9/alpine3.17/Dockerfile
+++ b/3.9/alpine3.17/Dockerfile
@@ -45,6 +45,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -83,13 +84,15 @@ RUN set -eux; \
 # set thread stack size to 1MB so we don't segfault before we hit sys.getrecursionlimit()
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.9/bullseye/Dockerfile b/3.9/bullseye/Dockerfile
index dfb6cfa83..187c70055 100644
--- a/3.9/bullseye/Dockerfile
+++ b/3.9/bullseye/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568
 ENV PYTHON_VERSION 3.9.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,15 +58,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -77,6 +83,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.9/buster/Dockerfile b/3.9/buster/Dockerfile
index 39e2b37cf..3e10a2b00 100644
--- a/3.9/buster/Dockerfile
+++ b/3.9/buster/Dockerfile
@@ -27,6 +27,12 @@ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568
 ENV PYTHON_VERSION 3.9.16
 
 RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		patchelf \
+	; \
 	\
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
@@ -52,15 +58,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -77,6 +83,11 @@ RUN set -eux; \
 	\
 	ldconfig; \
 	\
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
 	python3 --version
 
 # make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends)
diff --git a/3.9/slim-bullseye/Dockerfile b/3.9/slim-bullseye/Dockerfile
index d0625c293..f10075a8e 100644
--- a/3.9/slim-bullseye/Dockerfile
+++ b/3.9/slim-bullseye/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,13 +78,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/3.9/slim-buster/Dockerfile b/3.9/slim-buster/Dockerfile
index d61c45e28..f11ba0b06 100644
--- a/3.9/slim-buster/Dockerfile
+++ b/3.9/slim-buster/Dockerfile
@@ -46,6 +46,7 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
@@ -77,13 +78,15 @@ RUN set -eux; \
 	; \
 	nproc="$(nproc)"; \
 	make -j "$nproc" \
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib',--strip-all" \
+		LDFLAGS="-Wl,--strip-all" \
 	; \
 	make install; \
 	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
+	\
 	cd /; \
 	rm -rf /usr/src/python; \
 	\
diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template
index cf32ec445..6f29c5c9d 100644
--- a/Dockerfile-linux.template
+++ b/Dockerfile-linux.template
@@ -99,6 +99,7 @@ RUN set -eux; \
 		make \
 		ncurses-dev \
 		openssl-dev \
+		patchelf \
 		pax-utils \
 		readline-dev \
 		sqlite-dev \
@@ -110,10 +111,11 @@ RUN set -eux; \
 		zlib-dev \
 	; \
 	\
-{{ ) elif is_slim then ( -}}
+{{ ) else ( -}}
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
+{{ if is_slim then ( -}}
 		dpkg-dev \
 		gcc \
 		gnupg dirmngr \
@@ -129,14 +131,18 @@ RUN set -eux; \
 		libsqlite3-dev \
 		libssl-dev \
 		make \
+		patchelf \
 		tk-dev \
 		uuid-dev \
 		wget \
 		xz-utils \
 		zlib1g-dev \
+{{ ) else ( -}}
+		patchelf \
+{{ ) end -}}
 	; \
 	\
-{{ ) else "" end -}}
+{{ ) end -}}
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
 	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
@@ -172,10 +178,9 @@ RUN set -eux; \
 # https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
 		EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" \
 {{ ) else "" end -}}
-# \$ because of the double quotes in the shell to prevent interpolation
-# $$ for make to not interpret the $O
-# " because it needs the ' around the path, and '"'"' instead is 🤢
-		LDFLAGS="-Wl,-rpath='\$\$ORIGIN/../lib'{{ if is_slim or is_alpine then ",--strip-all" else "" end }}" \
+{{ if is_slim or is_alpine then ( -}}
+		LDFLAGS="-Wl,--strip-all" \
+{{ ) else "" end -}}
 {{ if env.version == "3.7" then ( -}}
 # setting PROFILE_TASK makes "--enable-optimizations" reasonable: https://bugs.python.org/issue36044 / https://github.com/docker-library/python/issues/160#issuecomment-509426916
 		PROFILE_TASK='-m test.regrtest --pgo \
@@ -224,10 +229,14 @@ RUN set -eux; \
 -}}
 	; \
 	make install; \
+	\
+# https://github.com/docker-library/python/issues/784
+# prevent accidental usage of a system installed libpython of the same version
+	bin="$(readlink -vf /usr/local/bin/python3)"; \
+	patchelf --set-rpath '$ORIGIN/../lib' "$bin"; \
 {{ if is_alpine or is_slim then "" else ( -}}
 	\
 # enable GDB to load debugging data: https://github.com/docker-library/python/pull/701
-	bin="$(readlink -ve /usr/local/bin/python3)"; \
 	dir="$(dirname "$bin")"; \
 	mkdir -p "/usr/share/gdb/auto-load/$dir"; \
 	cp -vL Tools/gdb/libpython.py "/usr/share/gdb/auto-load/$bin-gdb.py"; \
@@ -261,10 +270,10 @@ RUN set -eux; \
 	apk del --no-network .build-deps; \
 {{ ) else ( -}}
 	ldconfig; \
-{{ if is_slim then ( -}}
 	\
 	apt-mark auto '.*' > /dev/null; \
 	apt-mark manual $savedAptMark; \
+{{ if is_slim then ( -}}
 	find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
 		| awk '/=>/ { print $(NF-1) }' \
 		| sort -u \
@@ -273,9 +282,9 @@ RUN set -eux; \
 		| sort -u \
 		| xargs -r apt-mark manual \
 	; \
+{{ ) else "" end -}}
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
-{{ ) else "" end -}}
 {{ ) end -}}
 	\
 	python3 --version

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/docker-library/python/pull/790.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/docker-library/python/pull/790.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/docker-library/python/pull/790.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/docker-library/python/pull/790.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>