Version 7 vs 8
Version 7 vs 8
Edits
Edits
- Edit by jeremiah.foster, Version 8
- Feb 11 2021 05:38
- Edit by jeremiah.foster, Version 7
- Jan 21 2021 13:10
« Previous Change | Next Change » |
Edit Older Version 7... | Edit Older Version 8... |
Content Changes
Content Changes
# PureOS reproducible containers
PureOS uses a tool call Debuerreotype to create auditable, reproducible tarballs of root file systems. These root file systems (rootfs) are turned into containers and uploaded to Docker Hub and quay.io. Containers are useful for testing and building software in PureOS on any hardware that can run docker or similar.
Debuerreotype is a set of shell scripts that reuse debootstrap to build a rootfs. These shell scripts use an [[ https://reproducible-builds.org/docs/source-date-epoch/ | "epoch" file ]] (debuerreotype-epoch) which is useful for adjusting the various timestamps in build tools. These timestamps change at build time and can have an affect on hashsums which are used to determine bit for bit reproducibility of a build from the same source code.
You can use these instructions and you should be able to verify that you build a bit for bit identical container image. First, install debuerreotype;
```
$ apt install debuerreotype
```
Then we create two separate builds in two separate directories;
```
sudo /usr/sbin/debuerreotype-init --non-debian ./1111/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
sudo /usr/sbin/debuerreotype-init --non-debian ./0000/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
```
```
sudo /usr/sbin/debuerreotype-tar 0000/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
sudo /usr/sbin/debuerreotype-tar 1111/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
```
The hashsums match.
# PureOS reproducible containers
PureOS uses a tool call Debuerreotype to create auditable, reproducible tarballs of root file systems. These root file systems (rootfs) are turned into containers and uploaded to Docker Hub and quay.io. Containers are useful for testing and building software in PureOS on any hardware that can run docker or similar.
Debuerreotype is a set of shell scripts that reuse debootstrap to build a rootfs. These shell scripts use an [[ https://reproducible-builds.org/docs/source-date-epoch/ | "epoch" file ]] (debuerreotype-epoch) which is useful for adjusting the various timestamps in build tools. These timestamps change at build time and can have an affect on hashsums which are used to determine bit for bit reproducibility of a build from the same source code.
You can use these instructions and you should be able to verify that you build a bit for bit identical container image. First, install debuerreotype;
```
$ apt install debuerreotype
```
Then we create two separate builds in two separate directories;
```
sudo /usr/sbin/debuerreotype-init --non-debian ./1111/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
sudo /usr/sbin/debuerreotype-init --non-debian ./0000/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
```
```
sudo /usr/sbin/debuerreotype-tar 0000/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
sudo /usr/sbin/debuerreotype-tar 1111/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
```
The hashsums match.
Git repos and source code for building reproducible containers [[ URL | is available here. ]]
# PureOS reproducible containers
PureOS uses a tool call Debuerreotype to create auditable, reproducible tarballs of root file systems. These root file systems (rootfs) are turned into containers and uploaded to Docker Hub and quay.io. Containers are useful for testing and building software in PureOS on any hardware that can run docker or similar.
Debuerreotype is a set of shell scripts that reuse debootstrap to build a rootfs. These shell scripts use an [[ https://reproducible-builds.org/docs/source-date-epoch/ | "epoch" file ]] (debuerreotype-epoch) which is useful for adjusting the various timestamps in build tools. These timestamps change at build time and can have an affect on hashsums which are used to determine bit for bit reproducibility of a build from the same source code.
You can use these instructions and you should be able to verify that you build a bit for bit identical container image. First, install debuerreotype;
```
$ apt install debuerreotype
```
Then we create two separate builds in two separate directories;
```
sudo /usr/sbin/debuerreotype-init --non-debian ./1111/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
sudo /usr/sbin/debuerreotype-init --non-debian ./0000/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
```
```
sudo /usr/sbin/debuerreotype-tar 0000/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
sudo /usr/sbin/debuerreotype-tar 1111/byzantium - | sha256sum
baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
```
The hashsums match.
Git repos and source code for building reproducible containers [[ URL | is available here. ]]