PureOS Container Images
PureOS reproducible containers
PureOS uses a tool call Debuerreotype to create auditable, reproducible tarballs of root file systems. These root file systems (rootfs) are turned into containers and uploaded to Docker Hub and quay.io. Containers are useful for testing and building software in PureOS on any hardware that can run docker or similar.
Debuerreotype is a set of shell scripts that reuse debootstrap to build a rootfs. These shell scripts use an "epoch" file (debuerreotype-epoch) which is useful for adjusting the various timestamps in build tools. These timestamps change at build time and can have an affect on hashsums which are used to determine bit for bit reproducibility of a build from the same source code.
You can use these instructions and you should be able to verify that you build a bit for bit identical container image. First, install debuerreotype;
$ apt install debuerreotypeThen we create two separate builds in two separate directories;
sudo /usr/sbin/debuerreotype-init --non-debian ./1111/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z sudo /usr/sbin/debuerreotype-init --non-debian ./0000/byzantium byzantium http://repo.pureos.net/pureos 2021-01-01T00:00:00Z
sudo /usr/sbin/debuerreotype-tar 0000/byzantium - | sha256sum baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb - sudo /usr/sbin/debuerreotype-tar 1111/byzantium - | sha256sum baf307869422a4fdf26c7229ab00d1c9c540b89dba8f801aea01518a81f153cb -
The hashsums match.
Git repos and source code for building reproducible containers is available here.
- Last Author
- jeremiah.foster
- Last Edited
- Feb 11 2021, 05:45