[rb-general] offical Debian docker images reproducible? (Re: Reproducible system images)
Tianon Gravi
tianon at debian.org
Fri Jan 31 18:41:32 UTC 2020
On Thu, 30 Jan 2020 at 07:37, Holger Levsen <holger at layer-acht.org> wrote:
> > > Right now I'm now quite sure, where we (r-b.o) should promote them, eg on
> > > https://reproducible-builds.org/who/#Debian or better create
> > > https://reproducible-builds.org/who/#Docker? Or only on
> > > https://wiki.debian.org/ReproducibleBuilds?
> > We'd be flattered with any reference to it, but it's built upon/only
> > possible thanks to the work of y'all anyhow! :)
>
> Tianon, I'd be glad to merge patches for
> https://salsa.debian.org/reproducible-builds/reproducible-website/
> and probably best for both https://reproducible-builds.org/who/#Debian
> and https://reproducible-builds.org/who/#Docker ;)
Ok, I'll take a look at sending some merge requests your way for review! :D
> > I hope that docs PR clarifies reasonably, but it might also help to
> > add this bit of color I included in a private reply to Holger (paultag
> > took the conversation off-list to clarify something else and I'd
> > replied there):
> >
> > > As for hashes, I think that's a bit more complicated. We don't
> > > maintain either directly on that image description because we'd have
> > > to have an explicit "update the hashes" PR to
> > > https://github.com/docker-library/docs for every image update, which
> > > is hopefully understandably not something we're interested in doing
> > > (and would be disruptive for more than just us). Some of that can be
> > > gleaned from "docker image inspect xxx", which then has a content
> > > digest, but by the time that digest is generated it's round-tripped
> > > through a Docker graph driver, and I'm not 100% sure they all can
> > > handle full reproducibility (AUFS, btrfs, devmapper, etc).
>
> I think it would still be good to record the hashes somewhere reliably.
> How about in another git repository?
I love this idea, and to that end I've now set up
https://debuerreotype.github.io/ (and updated my aforementioned PR to
reference it explicitly). I'll plan to keep this up to date as part
of our image update process in the future. :)
♥,
- Tianon
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
More information about the rb-general
mailing list