repro-get: reproducible apt, dnf, apk, and pacman, with content-addressing

kpcyrd kpcyrd at archlinux.org
Fri Oct 21 22:39:48 UTC 2022


On 10/21/22 16:59, Akihiro Suda wrote:
> repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman 
> packages using SHA256SUMS files:

Cool stuff! Exciting to see some new reproducible builds tools being 
released, especially for reproducible containers. :)

I've submitted a PR in an attempt to get Arch Linux out of 
"experimental" and making it the first distro that checks all 3 boxes in 
the readme. It also fixes a bug in the current `pacman-key --verify` code.

https://github.com/reproducible-containers/repro-get/pull/15

There's another challenge that isn't mentioned yet, docker and some of 
the other build tools may embed their version into the layer config. 
Docker uses the `docker_version` key, so even if everything inside the 
image/Dockerfile is pinned and all timestamps match, you still need to 
match this version on the build host.

You could try to work around this the same way 
https://github.com/chainguard-dev/apko does, by manually creating a 
container .tar.

cheers,
kpcyrd


More information about the rb-general mailing list