Lockfiles?

Posted Apr 17, 2025 13:27 UTC (Thu) by fmoessbauer (subscriber, #171204)
In reply to: Lockfiles? by amarao
Parent article: What's new in APT 3.0

Bit by bit reproducible images and docker containers are possible, but still not trivial to achieve. The biggest remaining problems are reproducible installing as well as metadata (in case of containers). But it is doable, as shown in the https://github.com/siemens/kas project, where we build bit-identical containers for both x86_64 and arm64 in the Github CI. Users can just fork the project and reproduce the same container.

I also worked together with the team behind snapshot.d.o to make that service scalable and usable by CI systems. Now the service is behind a CDN, reasonably fast and also can be cached locally with a squid cache, if needed. Still, a lot of manual plumbing is needed to make (and keep!) things reproducible - and a lot of time spent in the diffoscope tool.

Lockfiles?

Posted Apr 17, 2025 13:34 UTC (Thu) by amarao (guest, #87073) [Link]

Thank you for information.

And a big thank you for your work. And for diffoscope, it's amazing.

I did it without kas, in github runner environment... I almost did it, but I found, that with 12% chance one file in the image get's 666 permissions (including py files, which is kinda dangerous), and only if image is build in CI, not locally. Now it's solved by 'retry' for CI run, but I wonder what is real reason for such dangerous bit flip.

Anyway, I got the taste for reproducibility for images and start to spread the gospel everywhere I could. After having reproducibility, non-reproducible setups looks... unhygienic.