Bit-for-bit reproducible builds with Dockerfile
Deterministic timestamps and deterministic apt-get
- Track: Containers devroom
- Room: UB2.252A (Lameere)
- Day: Saturday
- Start: 12:55
- End: 13:15
- Video only: ub2252a_lameere
- Chat: Join the conversation!
It wasn't easy to reproduce the same container image from its Dockerfile, due to changes in timestamps and "aptgettable" package versions. This lack of reproducibility has been a threat to the trustworthiness of container images and binary artifacts built inside containers.
In this talk, Akihiro Suda will introduce the current work being done to enable reproducible builds in the Dockerfile ecosystem.
This talk will consist of two parts:
The first part will explain the current status of implementing the SOURCE_DATE_EPOCH specification [1] in BuildKit [2] for deterministic timestamps of rootfs files and OCI metadata.
The second part will introduce a new tool called repro-get [3] which can be used to deterministically install a specific snapshot of apt, dnf, apk, and pacman packages.
The packages are fetched by their SHA256 hash from various file providers including HTTP(S) sites, local filesystems, OCI registries, and even IPFS.
The repro-get tool is expected to be used for containers in conjunction with the SOURCE_DATE_EPOCH work, but it can also be useful in non-container environments.
- [1] https://reproducible-builds.org/specs/source-date-epoch/
- [2] https://github.com/moby/buildkit
- [3] https://github.com/reproducible-containers/repro-get
Speakers
 |
Akihiro Suda |