Idea: pinning specific versions of apk packages (with repro-get, oras, etc.)

[AkihiroSuda]

Hi @amouat , thanks for your presentation at Cloud Native SecurityCon.

As asked in the question time, it would be nice if apko can reproduce images including the versions of the apk package.

But this is currently challenging, as the Alpine upstream does not provide archives of old packages.

A workaround for this problem I’m working on is repro-get, which is a tool to install a specific version of apk (or dpkg, rpm, pacman) packages from a http(s) site, local filesystem, OCI registry, or IPFS, using SHA256SUMS of the package files.

Example: https://github.com/reproducible-containers/repro-get/tree/v0.2.0/examples/neofetch-alpine

repro-get does not create the old apk archives by itself, but helps installing old apk packages from a user-managed custom location.

repro-get could be probably integrated into apko (either as a Go library or an external binary) like this:

apko build --hash-file=./SHA256SUMS --provider=oci://some-registry.such.as.ghcr.io/USERNAME/REPO ./existing-unmodified-apko-yaml.yaml

The apko buildcommand should also have flags like --export-packages=DIR to export the apk packages and the SHA256SUMS to a local directory. The exported files can be pushed to e.g., OCI registry using ORAS.

[amouat]

Thanks @AkihiroSuda!

In the case of Wolfi, the current plan is to keep archives of packages.

We also have plans for supporting lock repos (see #185)

We'll definitely take a look at repro-get.

[AkihiroSuda]

pinning is now supported: https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds

So I'm fine to close this