josephbisch
commented
9 years ago This is an interesting idea. The problem is that debootstrap (and consequentially vmbuilder, because it uses debootstrap under the hood) installs the newest point release by default. It may be possible for this to work if it is possible to disable the updates repository. Debian has snapshot.debian.org, which makes it easy to get a repository that reflects a particular point in time. It is possible to get old versions of packages for Ubuntu too, but there isn't an automated repository service like snapshot.debian.org for Ubuntu.
So if Debian VM images were supported, it would be a little easier, in the sense that you wouldn't need to setup a repository yourself.
kleetus
devrandom
As discussed in #53 and https://github.com/bitcoin/bitcoin/issues/4265 I propose a (very low priority) feature request to support aside from the sha256sum of installed .deb packages a second list in a text file with one package per line, in format:
Given that an Ubuntu image is always used to build, we could afterwards restore older version of packages by setting proper apt sources (archives.ubuntu.com) and the issuing:
This helps at increasing determinism/reproducibility in case the distro is changed upstream, although falls short in case package versions go completely missing upstream even from archives.
NOTE: downgrade is basically not supported by any package mantainer, thus it would be best to completely circumvent the problem of changed packages by using only an officially released Ubuntu ISO (and never issuing an apt-get update) and a set pool of necessary .deb package dependencies put directly in the apt-cacher-ng cache. Each project could then host their own APT archives source to support the reproducible build.