Reproduced OCI images (Was: repro-env: Documented and reproducible build environments)
kpcyrd
kpcyrd at archlinux.org
Sun Apr 27 13:56:21 UTC 2025
On 4/25/25 12:00 PM, cen wrote:
>> You can think of it as "Cargo.toml/Cargo.lock but for GNU/Linux build
>> environments".
>
> Interesting tool. I was trying to figure out if this could help me
> produce reproducible OCI images but the workflow seems to work against me.
>
> Is there a clever way repro-env could produce a base image for build
> and/or runtime step of my Dockerfile or am I simply misusing it?
This was recently requested by jwnx, but closed as "not planned"
(however feel free to take whatever is useful from the codebase to
implement this in a second tool):
https://github.com/kpcyrd/repro-env/issues/27
I know that regular Docker has improved a lot in terms of
reproducibility, but I think the more promising approach is something
like these 2 tools combined:
- https://github.com/chainguard-dev/apko
- https://github.com/chainguard-dev/melange
Last time I checked, neither of them had implemented buildinfo files
however, so they were only reproducible if Alpine never updates their
packages (and even if there was buildinfo files, no entity ever stepped
up to host a historic Alpine archive you could pull from).
I somewhat gave up on OCI security after I learned "you can't publish
into a registry without breaking chain of custody":
https://github.com/sigstore/cosign/issues/2516#issuecomment-1343711118
If there's a tool to wrap a single statically linked binary (that I
built with repro-env) into an OCI image I would be very curious to know
about this tool, but I'm still not sure that would give you "bit for bit
identical reproducible builds" in the traditional sense, as soon as you
introduce "push and pull from a registry".
I'd gladly be proven wrong however.
cheers,
kpcyrd
More information about the rb-general
mailing list