repro-get: reproducible apt, dnf, apk, and pacman, with content-addressing
Akihiro Suda
suda.kyoto at gmail.com
Fri Oct 21 14:59:32 UTC 2022
Hi, let me share my new tool "repro-get" and the current status of
reproducible Docker/OCI containers:
https://github.com/reproducible-containers/repro-get
repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman
packages using SHA256SUMS files:
```
$ cat SHA256SUMS-amd64
35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc
pool/main/h/hello/hello_2.10-2_amd64.deb
$ repro-get install SHA256SUMS-amd64
(001/001) hello_2.10-2_amd64.deb Downloading from
http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc
...
Preparing to unpack
.../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ...
Unpacking hello (2.10-2) ...
Setting up hello (2.10-2) ...
```
repro-get currently supports Debian, Ubuntu, Fedora, Alpine, and Arch Linux.
For Debian, the packages are fetched from
http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}} by default.
Fedora packages are fetched from kojipkgs.fedoraproject.org , and Arch
Linux packages are fetched from archive.archlinux.org .
Ubuntu and Alpine lack such package archive sites AFAIK, but users can
configure repro-get to fetch packages from
a custom HTTP/HTTPS site, OCI (Open Container Initiative) registries such
as Git{Hub, Lab} Container Registries, or even IPFS.
repro-get also experimentally supports generating Dockerfile to build a
reproducible Docker/OCI containers using the SHA256SUMS files:
https://github.com/reproducible-containers/repro-get/tree/v0.2.0/examples/gcc
The generated Dockerfiles are currently only "quasi-"reproducibile; the
contents of the files inside the image are reproducible,
but the image ID (computed from the checksums of the tar archive layers) is
not reproducible due to several issues in BuildKit
(the toolkit used by `docker build`):
- The timestamp of /etc cannot be changed:
https://github.com/moby/buildkit/issues/3148
- The container config JSON contains unchangeable timestamps:
https://github.com/moby/buildkit/issues/3167
- The timestamps of "whiteouts" (pseudo files for representing file
removals) cannot be changed: https://github.com/moby/buildkit/issues/3168
Fixes are to come, and the current discussion can be followed in
https://github.com/moby/buildkit/labels/area%2Freproducible-builds .
Regards,
Akihiro Suda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20221021/7aa0c469/attachment.htm>
More information about the rb-general
mailing list