In 4b15f9a1a1, a placeholder for the ldconfig aux-cache cleanup (required for the repro image) was implemented in the Dockerfile template and was substituted by either `&& rm -f /var/cache/ldconfig/aux-cache` for the repro group or `&& true` for other groups (so that it does nothing).
While technically harmless, the resulting `&& true` for the non-repro groups is slightly confusing and may raise some eyebrows (see https://github.com/docker-library/official-images/pull/21366). This change aims to drop the placeholder for the ldconfig aux-cache cleanup in the Dockerfile template and simply expand the "ldconfig + sed" RUN command to include the ldconfig aux-cache cleanup for the repro group. This results in a more precisely targeted substitution without unnecessary and confusing addition in the Dockerfile of the non-repro groups.
Expand the repro documentation with missing bits:
- The Dockerfile needs to be regenerated with the correct group for title annotation to ensure reproducibility.
- The CI_COMMIT_SHA of the original pipeline needs to be honored in the Dockerfile.
Also, set the timezome to UTC in Makefile and scripts to ensure consistency in the generated dates / timestamps (e.g. ARCHIVE_SNAPSHOT / SOURCE_DATE_EPOCH), regardless of the timezone of the environment. Otherwise, someone rebuilding the image locally can unexpectedly end up with a different value for those if the system uses a different timezome.
We were not patching the correct mirrorlist and therefore the Archive repo snapshot was not honored in the build...
Also adding some debug visibility to ease future debug sessions
There's actually a dedicated flag to ignore image name annotations specifically so we don't have to ignore the other attributes with the `--semantic` flag.
Add the missing 'source_date_epoch' argument to the make-dockerfile.sh script call in the pre-release CI stage
See merge request archlinux/archlinux-docker!99
The container registry is always going to rewrite parts of the image in an uncontrollable way. As far as we know, it's not possible to download a 1:1 copy of a build output from the container registry (until someone figures this out).
As far as I understand it, it also explains why `diffoci --semantic` is a thing and why it's generally considered "good enough" (give current constraints).
This is more informative than anything, we're primarily looking at providing a bit for bit reproducible image. The reproducibility of the userspace is not fully guaranteed at the moment
Given that we intend to create a dedicated repro tag, we should probably put every repro steps behind this condition and leave the other groups / tags untouched for now.
this commit takes the relevant repro steps from the wsl image, and wraps
breaking changes to only affect the :repro image
testing reproducability is not yet included, so we can discuss the
approach first
