repro-get: reproducible apt, dnf, apk, and pacman, with content-addressing

Akihiro Suda at
Fri Oct 21 14:59:32 UTC 2022

Hi, let me share my new tool "repro-get" and the current status of
reproducible Docker/OCI containers:

repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman
packages using SHA256SUMS files:

$ cat SHA256SUMS-amd64

$ repro-get install SHA256SUMS-amd64
(001/001) hello_2.10-2_amd64.deb Downloading from
Preparing to unpack
.../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ...
Unpacking hello (2.10-2) ...
Setting up hello (2.10-2) ...

repro-get currently supports Debian, Ubuntu, Fedora, Alpine, and Arch Linux.
For Debian, the packages are fetched from{{.SHA256}} by default.
Fedora packages are fetched from , and Arch
Linux packages are fetched from .

Ubuntu and Alpine lack such package archive sites AFAIK, but users can
configure repro-get to fetch packages from
a custom HTTP/HTTPS site, OCI (Open Container Initiative) registries such
as Git{Hub, Lab} Container Registries, or even IPFS.

repro-get also experimentally supports generating Dockerfile to build a
reproducible Docker/OCI containers using the SHA256SUMS files:

The generated Dockerfiles are currently only "quasi-"reproducibile; the
contents of the files inside the image are reproducible,
but the image ID (computed from the checksums of the tar archive layers) is
not reproducible due to several issues in BuildKit
(the toolkit used by `docker build`):
- The timestamp of /etc cannot be changed:
- The container config JSON contains unchangeable timestamps:
- The timestamps of "whiteouts" (pseudo files for representing file
removals) cannot be changed:

Fixes are to come, and the current discussion can be followed in .

Akihiro Suda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rb-general mailing list