Closed AkihiroSuda closed 1 year ago
Thanks @AkihiroSuda!
In the case of Wolfi, the current plan is to keep archives of packages.
We also have plans for supporting lock repos (see #185)
We'll definitely take a look at repro-get.
pinning is now supported: https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds
So I'm fine to close this
Hi @amouat , thanks for your presentation at Cloud Native SecurityCon.
As asked in the question time, it would be nice if apko can reproduce images including the versions of the apk package.
But this is currently challenging, as the Alpine upstream does not provide archives of old packages.
A workaround for this problem I’m working on is repro-get, which is a tool to install a specific version of apk (or dpkg, rpm, pacman) packages from a http(s) site, local filesystem, OCI registry, or IPFS, using SHA256SUMS of the package files.
Example: https://github.com/reproducible-containers/repro-get/tree/v0.2.0/examples/neofetch-alpine
repro-get does not create the old apk archives by itself, but helps installing old apk packages from a user-managed custom location.
repro-get could be probably integrated into apko (either as a Go library or an external binary) like this:
The
apko build
command should also have flags like--export-packages=DIR
to export the apk packages and the SHA256SUMS to a local directory. The exported files can be pushed to e.g., OCI registry using ORAS.