Consider migrating from Alpine to Debian, Ubuntu, or Wolfi for reproducible builds

[AkihiroSuda]

Reproducible builds is hard with Alpine, as Alpine does not keep old packages: https://gitlab.alpinelinux.org/alpine/abuild/-/issues/9996

Debian, Ubuntu, and Wolfi are more suitable for reproducible builds, as they keep old packages:

• https://snapshot-cloudflare.debian.org/
• http://snapshot.ubuntu.com/ubuntu/20230904T000000Z/dists/jammy/Release
• https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds

Wolfi currently does not support armv7, s390x, ppc64le, and riscv64 though:

• https://github.com/wolfi-dev/os/issues/5440

[AkihiroSuda]

Wolfi might not be an option, as they seem to require an enterprise license for pulling old ~images~ tags: https://github.com/chainguard-images/images/tree/main/images/wolfi-base

View Image Catalog for a full list of available tags. Contact Chainguard for enterprise support, SLAs, and access to older tags.

Looks like old digests seem still available for free, though https://www.chainguard.dev/unchained/important-updates-for-chainguard-images-public-catalog-users

Images pulled by digest (that is, @sha256:...) will be available without logging in, but will not receive any updates or security fixes.

[kaniini]

Wolfi might not be an option, as they seem to require an enterprise license

This is strictly about the enterprise Chainguard Images product, which is built on Wolfi, but is not Wolfi itself.

[AkihiroSuda]

This seems fine for us:

• https://github.com/moby/buildkit/pull/4238