-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adjust tarball creation to be reproducible #188
Conversation
That's probably better / more maintainable than my hacky script. |
34f9a53
to
7783809
Compare
https://github.com/docker-library/busybox/actions/runs/7576748973/job/20636236993?pr=188#step:5:4479 👀
|
7783809
to
e2aca1d
Compare
Nice, the simpler approach using |
I guess this is good by itself, but my end goal is actually to go all the way to |
e2aca1d
to
644ee1a
Compare
Here's an example # this file is generated via https://github.com/infosiftr/busybox/blob/5aade3a1527f3dddc69ea149d040768941b34664/generate-stackbrew-library.sh
Maintainers: Tianon Gravi <[email protected]> (@tianon),
Joseph Ferguson <[email protected]> (@yosifkit)
GitRepo: https://github.com/infosiftr/busybox.git
GitCommit: 5aade3a1527f3dddc69ea149d040768941b34664
Builder: oci-import
File: index.json
# https://github.com/infosiftr/busybox/tree/dist-amd64
amd64-GitFetch: refs/heads/dist-amd64
amd64-GitCommit: 668d52e6f0596e0fd0b1be1d8267c4b9240dc2b3
# https://github.com/infosiftr/busybox/tree/dist-arm32v6
arm32v6-GitFetch: refs/heads/dist-arm32v6
arm32v6-GitCommit: c479d660005ac7073e97509575668b794cdbc5f5
Tags: 1.36.1-glibc, 1.36-glibc, 1-glibc, stable-glibc, glibc
Architectures: amd64
amd64-Directory: latest/glibc/amd64
Tags: 1.36.1-uclibc, 1.36-uclibc, 1-uclibc, stable-uclibc, uclibc
Architectures: amd64
amd64-Directory: latest/uclibc/amd64
Tags: 1.36.1-musl, 1.36-musl, 1-musl, stable-musl, musl
Architectures: amd64, arm32v6
amd64-Directory: latest/musl/amd64
arm32v6-Directory: latest/musl/arm32v6
Tags: 1.36.1, 1.36, 1, stable, latest
Architectures: amd64, arm32v6
amd64-Directory: latest/glibc/amd64
arm32v6-Directory: latest/musl/arm32v6
Tags: 1.35.0-glibc, 1.35-glibc
Architectures: amd64
amd64-Directory: latest-1/glibc/amd64
Tags: 1.35.0-uclibc, 1.35-uclibc
Architectures: amd64
amd64-Directory: latest-1/uclibc/amd64
Tags: 1.35.0-musl, 1.35-musl
Architectures: amd64, arm32v6
amd64-Directory: latest-1/musl/amd64
arm32v6-Directory: latest-1/musl/arm32v6
Tags: 1.35.0, 1.35
Architectures: amd64, arm32v6
amd64-Directory: latest-1/glibc/amd64
arm32v6-Directory: latest-1/musl/arm32v6 |
Notably, this actually commits all but the tarballs directly in the master branch of this repository. The theory here is that with reproducible tarballs, that becomes a lot more interesting (we can meaningfully track their change over time, for example). The main concern I would've had with this is having multiple build jobs all trying to push to the same branch (and resolving merge conflicts between them as we rebase / re-push over and over), but with each architecture using a dedicated directory, that should be mostly reasonable (and these don't run on an automated trigger either, so there's not really a very high chance of changes in the way things build happening while a build is in progress). |
da01e4f
to
8283da6
Compare
It's going to be a bit more complex to fix our explicit (probably just a |
4f05b89
to
77471be
Compare
This also now makes our CI verify the reproducibility. 👀 |
77471be
to
03186f9
Compare
(So it's written down somewhere explicitly: one end goal of this is to have something with lower stakes / less DOI child images than Ubuntu to test docker-library/meta-scripts#20 against 👀) |
apply-templates.sh
Outdated
{ | ||
generated_warning | ||
gawk -f "$jqt" Dockerfile-builder.template | ||
} > "$version/$variant/Dockerfile.builder" | ||
|
||
cp Dockerfile.template "$version/$variant/Dockerfile" | ||
ln -svfT amd64/rootfs.tar.gz "$version/$variant/busybox.tar.gz" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If each dist
branch has to make this symlink for their respective architecture anyway, we should probably just leave it off of the main branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's fair -- done!
03186f9
to
088bdc4
Compare
088bdc4
to
7e39d61
Compare
Changes: - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now) - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@a20bcbd: Merge pull request docker-library/busybox#191 from infosiftr/cherry-meta - docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now) - docker-library/busybox@69f51a1: Update metadata for s390x - docker-library/busybox@f29b4e0: Update metadata for ppc64le - docker-library/busybox@8d72643: Update metadata for mips64le - docker-library/busybox@51977e5: Update metadata for i386 - docker-library/busybox@b52155f: Update metadata for arm64v8 - docker-library/busybox@2568e26: Update metadata for arm32v7 - docker-library/busybox@a6e074f: Update metadata for arm32v6 - docker-library/busybox@884455c: Update metadata for arm32v5 - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Changes: - docker-library/busybox@a20bcbd: Merge pull request docker-library/busybox#191 from infosiftr/cherry-meta - docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now) - docker-library/busybox@69f51a1: Update metadata for s390x - docker-library/busybox@f29b4e0: Update metadata for ppc64le - docker-library/busybox@8d72643: Update metadata for mips64le - docker-library/busybox@51977e5: Update metadata for i386 - docker-library/busybox@b52155f: Update metadata for arm64v8 - docker-library/busybox@2568e26: Update metadata for arm32v7 - docker-library/busybox@a6e074f: Update metadata for arm32v6 - docker-library/busybox@884455c: Update metadata for arm32v5 - docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs - docker-library/busybox@7e39d61: Initial `Builder: oci-import` support - docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
No description provided.