Support reproducible builds (except packages)#38
Conversation
| # SOURCE_DATE_EPOCH is consumed by build scripts | ||
| ARG SOURCE_DATE_EPOCH | ||
|
|
There was a problem hiding this comment.
The rest of this is unobjectionable, but I'm not in favor of ARG.
| # SOURCE_DATE_EPOCH is consumed by build scripts | |
| ARG SOURCE_DATE_EPOCH |
There was a problem hiding this comment.
Sorry, could you explain the problem?
Isn't it quite common to specify the epoch for repro builds?
There was a problem hiding this comment.
The SOURCE_DATE_EPOCH has been already used in the meta scripts, no?
There was a problem hiding this comment.
@tianon Please let me know how I can make progress on this PR (and other PRs tracked in docker-library/official-images#16044) 🙏
Do you prefer the SOURCE_DATE_EPOCH to be set to the timestamp of bash.tar.gz? ( As in golang)
I can update this PR like that if you like, but I think having the "global" ARG SOURCE_DATE_EPOCH here still makes sense, as SOURCE_DATE_EPOCH also applies to apk commands, etc.
There was a problem hiding this comment.
Updated the PR to take SOURCE_DATE_EPOCH from the source material (as in golang):
SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"Let me know if this solves your concern.
There was a problem hiding this comment.
Completely removed ARG SOURCE_DATE_EPOCH
There was a problem hiding this comment.
Is this (and other PRs in docker-library/official-images#16044) mergeable? 🙏 @tianon @tonistiigi
|
ping 🙇♂️ @tianon |
See docker-library/official-images issue 16044 - `SOURCE_DATE_EPOCH` is added. The value is consumed by the build scripts to make the binary reproducible. - For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed` > [!NOTE] > The following topics are NOT covered by this commit: > > - To reproduce file timestamps in layers, BuildKit has to be executed with > `--output type=<TYPE>,rewrite-timestamp=true`. > Needs BuildKit v0.13 or later. > > - To reproduce the base image by the hash, reproducers may: > - modify the `FROM` instruction in Dockerfile manually > - or, use the `CONVERT` action of source policies to replace the base image. > <https://github.com/moby/buildkit/blob/v0.13.2/docs/build-repro.md> > > - To reproduce packages, see the `RUN` instruction hook proposed in > moby/buildkit issue 4576 > Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2 participants
See:
Reproducible builds docker-library/official-images#16044
SOURCE_DATE_EPOCHis added. The value is consumed by the build scripts to make the binary reproducible.For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in
/etc/apk/worldand/lib/apk/db/installedNote
The following topics are NOT covered by this commit:
To reproduce file timestamps in layers, BuildKit has to be executed with
--output type=<TYPE>,rewrite-timestamp=true.Needs BuildKit v0.13 or later.
To reproduce the base image by the hash, reproducers may:
FROMinstruction in Dockerfile manuallyCONVERTaction of source policies to replace the base image.https://github.com/moby/buildkit/blob/v0.13.2/docs/build-repro.md
To reproduce packages, see the
RUNinstruction hook proposed inProposal: hooks for
RUNinstructions (use cases: reproducible builds, cross-compilation, malware detection, ...) moby/buildkit#4576