repro-get: reproducible apt, dnf, apk, and pacman, with content-addressing
kpcyrd
kpcyrd at archlinux.org
Fri Oct 21 22:39:48 UTC 2022
On 10/21/22 16:59, Akihiro Suda wrote:
> repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman
> packages using SHA256SUMS files:
Cool stuff! Exciting to see some new reproducible builds tools being
released, especially for reproducible containers. :)
I've submitted a PR in an attempt to get Arch Linux out of
"experimental" and making it the first distro that checks all 3 boxes in
the readme. It also fixes a bug in the current `pacman-key --verify` code.
https://github.com/reproducible-containers/repro-get/pull/15
There's another challenge that isn't mentioned yet, docker and some of
the other build tools may embed their version into the layer config.
Docker uses the `docker_version` key, so even if everything inside the
image/Dockerfile is pinned and all timestamps match, you still need to
match this version on the build host.
You could try to work around this the same way
https://github.com/chainguard-dev/apko does, by manually creating a
container .tar.
cheers,
kpcyrd
More information about the rb-general
mailing list