Apt reproducible installs

[Roland Clobus]

Hello cen,

On 25/04/2025 12:25, cen wrote:
> Are there any efforts underway for apt to do reproducible installs?
> 
> I am trying to build bit-by-bit identical OCI images and it feels like I 
> am doing a lot of hacks and workarounds to get things working

You can perhaps copy some of the effort that makes the live ISO images 
and the docker images reproducible.

https://wiki.debian.org/ReproducibleInstalls/LiveImages
https://docker.debian.net/

> and in reality it should be apt that needs to evolve and support 
> reproducible installs.
> 
> Running apt in "reproducible mode" could automatically:
> 
> 1. Switch to snapshots repo according to SOURCE_DATE_EPOCH

I'm quite hesitant about this step. The timestamp in the 'InRelease' 
file in the snapshot is often not matching the timestamp in the URL for 
snapshot.debian.org, the first is more authoritative and informative.

> 2. Disable logging and caching or at least clean after

Do you want/need to have log files in your container?

> 3. Use SOURCE_DATE_EPOCH on all installed files (either natively or 
> automatically using libfaketime)

Something like this:
find myUnpackedOCIfolder -newermt "$(date -d@${SOURCE_DATE_EPOCH} 
'+%Y-%m-%d %H:%M:%S')" -printf "%y %p\n" -exec touch '{}' 
-d@${SOURCE_DATE_EPOCH} --no-dereference ';' > modified_timestamps

https://sources.debian.org/src/live-build/1:20250225/scripts/build/binary/?hl=74#L74

> 4. ???
 > > 5. Profit!
> 
> 
> Just throwing ideas out there but the current situation when I need half 
> of my Dockerfile to be scripts forcing apt to play nicely is not ideal.

Now I reached the end of your mail: 'Dockerfile' -> look at debuerreotype

With kind regards,
Roland Clobus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250427/5ad7327f/attachment.sig>