repro-get: reproducible apt, dnf, apk, and pacman, with content-addressing

[Akihiro Suda]

> I've submitted a PR in an attempt to get Arch Linux out of "experimental"
and making it the first distro that checks all 3 boxes in the readme.

Thanks, merged your PR, moved Arch Linux out of experimental, and released
v0.2.1 👍:
https://github.com/reproducible-containers/repro-get/releases/tag/v0.2.1

> Docker uses the `docker_version` key, so even if everything inside the
image/Dockerfile is pinned and all timestamps match, you still need to
match this version on the build host.

I think this is expected, but I agree it would be nice to have an option to
reduce differences across the releases.



2022年10月21日(金) 18:39 kpcyrd <kpcyrd at archlinux.org>:

> On 10/21/22 16:59, Akihiro Suda wrote:
> > repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman
> > packages using SHA256SUMS files:
>
> Cool stuff! Exciting to see some new reproducible builds tools being
> released, especially for reproducible containers. :)
>
> I've submitted a PR in an attempt to get Arch Linux out of
> "experimental" and making it the first distro that checks all 3 boxes in
> the readme. It also fixes a bug in the current `pacman-key --verify` code.
>
> https://github.com/reproducible-containers/repro-get/pull/15
>
> There's another challenge that isn't mentioned yet, docker and some of
> the other build tools may embed their version into the layer config.
> Docker uses the `docker_version` key, so even if everything inside the
> image/Dockerfile is pinned and all timestamps match, you still need to
> match this version on the build host.
>
> You could try to work around this the same way
> https://github.com/chainguard-dev/apko does, by manually creating a
> container .tar.
>
> cheers,
> kpcyrd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20221025/4796686c/attachment.htm>