From d0a2374d677bb0aa355cb65591a79e33f9bbbebc Mon Sep 17 00:00:00 2001 From: Robin Candau Date: Wed, 29 Apr 2026 01:07:38 +0200 Subject: [PATCH] Expand repro documentation and ensure fixed timezome Expand the repro documentation with missing bits: - The Dockerfile needs to be regenerated with the correct group for title annotation to ensure reproducibility. - The CI_COMMIT_SHA of the original pipeline needs to be honored in the Dockerfile. Also, set the timezome to UTC in Makefile and scripts to ensure consistency in the generated dates / timestamps (e.g. ARCHIVE_SNAPSHOT / SOURCE_DATE_EPOCH), regardless of the timezone of the environment. Otherwise, someone rebuilding the image locally can unexpectedly end up with a different value for those if the system uses a different timezome. --- Makefile | 5 ++++- REPRO.md | 21 ++++++++++++--------- scripts/make-dockerfile.sh | 3 +++ scripts/make-rootfs.sh | 3 +++ 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 9f8417f..072d06e 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,10 @@ +# Fixed TZ to ensure consistency +export TZ := UTC + OCITOOL=podman # or docker BUILDDIR=$(shell pwd)/build OUTPUTDIR=$(shell pwd)/output -ARCHIVE_SNAPSHOT=$(shell date -d "-1 day" +"%Y/%m/%d") +ARCHIVE_SNAPSHOT=$(shell date -u -d "-1 day" +"%Y/%m/%d") SOURCE_DATE_EPOCH=$(shell date -u -d "00:00:00" +"%s") .PHONY: clean diff --git a/REPRO.md b/REPRO.md index 0aa0733..357b0bd 100644 --- a/REPRO.md +++ b/REPRO.md @@ -56,7 +56,7 @@ export BUILD_VERSION="20260331.0.508794" the image against. This is based on the date included in the image's `BUILD_VERSION`: ```bash -export ARCHIVE_SNAPSHOT=$(date -d "${BUILD_VERSION%%.*} -1 day" +"%Y/%m/%d") +export ARCHIVE_SNAPSHOT=$(date -u -d "${BUILD_VERSION%%.*} -1 day" +"%Y/%m/%d") ``` * `SOURCE_DATE_EPOCH`: The value to normalize timestamps with during the build. @@ -66,7 +66,14 @@ This is based on the date included in the image's `BUILD_VERSION`: export SOURCE_DATE_EPOCH=$(date -u -d "${BUILD_VERSION%%.*} 00:00:00" +"%s") ``` -Then clone the [archlinux-docker](https://gitlab.archlinux.org/archlinux/archlinux-docker) +Then pull the original image you're aiming to reproduce and set its revision value in your environment (needed to correctly set the revision annotation in the Dockerfile): + +```bash +podman pull docker.io/archlinux/archlinux:repro-$BUILD_VERSION +export CI_COMMIT_SHA=$(podman inspect --format '{{ index .Config.Labels "org.opencontainers.image.revision" }}' archlinux/archlinux:repro-$BUILD_VERSION) +``` + +Finally, clone the [archlinux-docker](https://gitlab.archlinux.org/archlinux/archlinux-docker) repository and move into it: ```bash @@ -86,6 +93,8 @@ make \ ARCHIVE_SNAPSHOT="$ARCHIVE_SNAPSHOT" \ SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH" \ $PWD/output/Dockerfile.repro + +scripts/make-dockerfile.sh repro.tar.zst repro output/ "true" "repro" "$SOURCE_DATE_EPOCH" ``` The following resulting artifacts will be located in `$PWD/output`: @@ -135,13 +144,7 @@ The built image will be accessible in your local podman container storage under ## Check the image reproducibility -Pull the image you're aiming to reproduce from Docker Hub: - -```bash -podman pull docker.io/archlinux/archlinux:repro-$BUILD_VERSION -``` - -Compare the digest of the image pulled from Docker Hub to the digest of the image you built +Compare the digest of the original image pulled from Docker Hub to the digest of the image you built locally: ```bash diff --git a/scripts/make-dockerfile.sh b/scripts/make-dockerfile.sh index afee8a4..2691268 100755 --- a/scripts/make-dockerfile.sh +++ b/scripts/make-dockerfile.sh @@ -2,6 +2,9 @@ set -euo pipefail +# Fixed TZ to ensure consistency +export TZ=UTC + declare -r ROOTFS_FILE="$1" declare -r GROUP="$2" declare -r OUTPUTDIR="$3" diff --git a/scripts/make-rootfs.sh b/scripts/make-rootfs.sh index 1f39f3b..7ea1b81 100755 --- a/scripts/make-rootfs.sh +++ b/scripts/make-rootfs.sh @@ -2,6 +2,9 @@ set -euo pipefail +# Fixed TZ to ensure consistency +export TZ=UTC + declare -r WRAPPER="fakechroot -- fakeroot" declare -r GROUP="$1"