On 20.03.2024 13.42, kpcyrd wrote:
Where do we go from here? It would be cool if the OCI container image itself could also be reproduced (bit-for-bit), but I'm not sure if there's any prior work (specifically for images listed as 'official' on Docker Hub)?
Specifically what I mean - given a line like this:
FROM archlinux@sha256:2dbd72d1e5510e047db7f441bf9069e9c53391b87e04e5bee3f379cd03cec060
I want to reproduce the artifact(s) that are pulled in by this, with the packages our Arch Linux rebuilders have reproduced from source code. From what I understand this hash points to a json manifest that is not contained in the container image itself and was generated by the registry (should we archive them?), and this manifest then points to the sha256 of the tar containing the filesystem (I'm possibly missing an indirection here).
Hopefully one of the many SBOM formats can help with this. :P
I know the container image is built from these two repositories but I don't have any in-depth knowledge:
- https://github.com/docker-library/official-images/blob/master/library/archli... - https://gitlab.archlinux.org/archlinux/archlinux-docker
We do not control the full build pipeline for the Docker Hub official Arch Linux image. The workflow is basically (links for the 20240101.0.204074 tag provided): 1. Every week[1] new tarballs[2] and Dockerfiles[3] are built 2. A PR[4] is opened for the official-images repo on GitHub 3. The PR is merged 4. The Dockerfiles are built by official-images's build infrastructure[5] and pushed to Docker Hub I'm not sure to what extent the official-images's build infrastructure supports "reproducible builds", but it was discussed[6] and implemented in some capacity for the golang image[7] in January. There is also a existing issue for reproducibility in archlinux-docker[8]. For our images published at docker.io/archlinux/archlinux, Quay.io and ghcr.io, we do control the whole build pipeline and we can more easily tweak the pipeline to support "reproducible builds" if desired. They are also already signed with cosign FWIW. [1] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/pipelines/87673 [2] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/packages/1277 [3] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/tree/v20240101.0.2... [4] https://github.com/docker-library/official-images/pull/15984 [5] https://doi-janky.infosiftr.net/ [6] https://github.com/docker-library/official-images/issues/16044 [7] https://github.com/docker-library/golang/pull/505 [8] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/44 Cheers, Kristian