<div dir="ltr">Hi, let me share my new tool "repro-get" and the current status of reproducible Docker/OCI containers:<br><a href="https://github.com/reproducible-containers/repro-get">https://github.com/reproducible-containers/repro-get</a><br><br>repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman packages using SHA256SUMS files:<br><br>```<br>$ cat SHA256SUMS-amd64<br>35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc  pool/main/h/hello/hello_2.10-2_amd64.deb<br><br>$ repro-get install SHA256SUMS-amd64<br>(001/001) hello_2.10-2_amd64.deb Downloading from <a href="http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc">http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc</a><br>...<br>Preparing to unpack .../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ...<br>Unpacking hello (2.10-2) ...<br>Setting up hello (2.10-2) ...<br>```<br><br>repro-get currently supports Debian, Ubuntu, Fedora, Alpine, and Arch Linux.<br>For Debian, the packages are fetched from <a href="http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}}">http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}}</a> by default.<br>Fedora packages are fetched from <a href="http://kojipkgs.fedoraproject.org">kojipkgs.fedoraproject.org</a> , and Arch Linux packages are fetched from <a href="http://archive.archlinux.org">archive.archlinux.org</a> .<br><br>Ubuntu and Alpine lack such package archive sites AFAIK, but users can configure repro-get to fetch packages from <br>a custom HTTP/HTTPS site, OCI (Open Container Initiative) registries such as Git{Hub, Lab} Container Registries, or even IPFS.<br><br>repro-get also experimentally supports generating Dockerfile to build a reproducible Docker/OCI containers using the SHA256SUMS files:<br><a href="https://github.com/reproducible-containers/repro-get/tree/v0.2.0/examples/gcc">https://github.com/reproducible-containers/repro-get/tree/v0.2.0/examples/gcc</a><br><br>The generated Dockerfiles are currently only "quasi-"reproducibile; the contents of the files inside the image are reproducible,<br>but the image ID (computed from the checksums of the tar archive layers) is not reproducible due to several issues in BuildKit<br>(the toolkit used by `docker build`):<br>- The timestamp of /etc cannot be changed: <a href="https://github.com/moby/buildkit/issues/3148">https://github.com/moby/buildkit/issues/3148</a><br>- The container config JSON contains unchangeable timestamps: <a href="https://github.com/moby/buildkit/issues/3167">https://github.com/moby/buildkit/issues/3167</a><br>- The timestamps of "whiteouts" (pseudo files for representing file removals) cannot be changed: <a href="https://github.com/moby/buildkit/issues/3168">https://github.com/moby/buildkit/issues/3168</a><br><br>Fixes are to come, and the current discussion can be followed in <a href="https://github.com/moby/buildkit/labels/area%2Freproducible-builds">https://github.com/moby/buildkit/labels/area%2Freproducible-builds</a> .<br><br>Regards,<br>Akihiro Suda<br></div>