Comments (18)
The first PR:
from official-images.
BTW snapshot.ubuntu.com
hosted on Azure seems quite fast enough to adopt as the default.
https://ubuntu.com/blog/ubuntu-snapshots-on-azure-ensuring-predictability-and-consistency-in-cloud-deployments
Would it be acceptable to add Ubuntu variants to DOI?
This will be also beneficial for Ubuntu users who are not interested in reproducible builds
from official-images.
@AkihiroSuda Would your proposal also include publishing those images on the daily, tagged by date (i.e. corresponding to the snapshot package sources), like @tianon currently does for Debian on a ~monthly basis?
This is an orthogonal topic.
from official-images.
SLSA provenance manifest blobs (enabled by default in recent buildx) are not reproducible by design, so the image index digest will not be reproducible.
The index could be reproducible if the artifacts were associated using the upcoming OCI subject/referrers API rather than injecting it directly in the index.
A digest can be embedded in a FROM instruction of a Dockerfile.
However, I wonder that image maintainers might not want to update Dockerfiles frequently to ensure the latest base image to be picked up during the upstream build.In that case, we can just leave FROM instructions unpinned, and let reproducers to use the COVNERT action of source policies to dynamically replace the image identifier
The push from groups like Scorecard is to embed the digest directly in the Dockerfile and maintain the pin with a tool like renovate or dependabot. This gives reproducibility with controlled updates.
We will also need to have a CI to periodically attest reproducibility with the proposed CLI above.
I'd love to see work done on a user tool that can take any built image, or git commit, and verify the output. We can assist this work by annotating the images with details like the git commit used to build them and the SOURCE_DATE_EPOC
value. This could allow an independent 3rd party verification of images, and signatures or attestations pushed to their repository as detached artifacts (artifacts referencing an image that is not in that repository). Users could then add a policy on their side to require a 3rd party attestation from a list of trusted rebuilders.
from official-images.
The index could be reproducible if the artifacts were associated using the upcoming OCI subject/referrers API rather than injecting it directly in the index.
Yes, but I guess adoption of the spec v1.1 in DOI is likely to take years, as user's site-local mirrors are mostly not ready for v1.1 yet
The push from groups like Scorecard is to embed the digest directly in the Dockerfile and maintain the pin with a tool like renovate or dependabot. This gives reproducibility with controlled updates.
Yes, but I wonder that maintainers might not want to see tons of bump-up PRs to happen every day.
from official-images.
The index could be reproducible if the artifacts were associated using the upcoming OCI subject/referrers API rather than injecting it directly in the index.
Yes, but I guess adoption of the spec v1.1 in DOI is likely to take years, as user's site-local mirrors are mostly not ready for v1.1 yet
OCI 1.0 conformant mirrors already support it by use of a fallback tag. It's similar to how sigstore implements their attestations today.
The push from groups like Scorecard is to embed the digest directly in the Dockerfile and maintain the pin with a tool like renovate or dependabot. This gives reproducibility with controlled updates.
Yes, but I wonder that maintainers might not want to see tons of bump-up PRs to happen every day.
There's a constant bump-up already. One is invisible and hurts reproducibility, while the other is documented with a Git commit.
from official-images.
I don't have the bandwidth to respond to all of this right now, so I'll focus on the bit that concerns me the most: the service provided at snapshot.debian.org
is not currently well-maintained or well-staffed (hence the speed issues, but it's a much deeper problem), so I would be very uncomfortable intentionally adding to them the load of all our image builds/rebuilds.
At a high level, I think the best place to start here (especially as it would be the least disruptive) is making useful/interesting layers reproducible. For example, docker-library/golang@46f40bd is an old PoC that @yosifkit worked on which provides that for the Go-providing layer of the Go images that I've been planning to revisit in the near future.
from official-images.
I don't have the bandwidth to respond to all of this right now, so I'll focus on the bit that concerns me the most: the service provided at
snapshot.debian.org
is not currently well-maintained or well-staffed (hence the speed issues, but it's a much deeper problem), so I would be very uncomfortable intentionally adding to them the load of all our image builds/rebuilds.
This proposal does NOT enable snapshot.debian.org
for the upstream builds.
Third-party reproducers may opt-in to use snapshot.debian.org
by providing --secret id=enable-repro-sources-list,source=/dev/null
to repro the packages that were on the regular debian.org at the time of the SOURCE_DATE_EPOCH
.
(This secret is not really "secret" but made as a secret to avoid affecting the history
object in OCI Image Config blob)
Could you take a look at the PR again ?
At a high level, I think the best place to start here (especially as it would be the least disruptive) is making useful/interesting layers reproducible. For example, docker-library/golang@46f40bd is an old PoC that @yosifkit worked on which provides that for the Go-providing layer of the Go images that I've been planning to revisit in the near future.
In the case of httpd
image, the useful/interesting layer is the layer of the binaries such as /usr/local/bin/httpd
.
To reproduce the binaries we have to reproduce at least the compiler packages.
from official-images.
@tianon Could you take a look? 🙏
from official-images.
I'm only an interested bystander but I've long been looking for reproducible images, so that, using them as base images, I can create reproducible images for my projects, too.
@AkihiroSuda Would your proposal also include publishing those images on the daily, tagged by date (i.e. corresponding to the snapshot package sources), like @tianon currently does for Debian on a ~monthly basis?
This would be incredibly useful downstream as one could then simply bump the date tag of the base image on the daily to upgrade dependencies & protect against vulnerabilities while still preserving reproducibility.
from official-images.
FWIW, I've went through the not-yet-fully-smooth process of making the kas build containers for Yocto and Isar reproducible (https://github.com/siemens/kas/commits/next). Our containers as based on Debian, and it would be great to see our dependencies reproducible as well.
BTW, I had some fun with understanding differences due to cached layers that are apparently not rewritten timestamp-wise. Is that a known issue of BuildKit? I'm now refraining from caching layers persistently on GH and from using the cache completely (unfortunately) when validating locally.
from official-images.
BTW, I had some fun with understanding differences due to cached layers that are apparently not rewritten timestamp-wise.
Could you open an issue in https://github.com/moby/buildkit/issues ?
from official-images.
Done: moby/buildkit#4748
from official-images.
Related Issues (20)
- postgres:16 ls: cannot access '/docker-entrypoint-initdb.d/': Operation not permitted
- Missing Elastic Stack images for 8.10.3 8.10.4 and 7.17.14 HOT 4
- Elasticsearch arm images missing for 8.11.1 and 7.17.15 HOT 9
- Missing ARM64 image for eclipse-temurin alpine image with jdk11 HOT 1
- ARM32 image missing for eclipse-temurin:21-jre-jammy HOT 2
- Nnnn HOT 1
- Status of migration from Jenkins to GitHub Actions HOT 5
- Have official images be supported for podman HOT 2
- Have official images be supported for podman HOT 1
- New Official JDK and JRE Images using Alpine 3.19 HOT 1
- Base image rebuild questions HOT 6
- No updates of mariadb images on Docker Hub Repository HOT 8
- golang:1.22-alpine3.19 amd64 HOT 6
- Republish eclipse-temurin (ubuntu focal) images to incorporate openssl vulnerabilities fixes HOT 8
- Official Image hub does not have latest tags HOT 1
- Apache Solr ARM support is missing for 9.5.0 and 9.5 HOT 1
- High severity vulnerability in `libexpat` packages pulled into Alpine HOT 17
- More RISC-V builds - how can I help? HOT 6
- Add LoongArch architecture support HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from official-images.