Skip to content

[1.2 -> main] use debian's package snapshot repo for old buster packages needed in reproducible build #1843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 26, 2025
Merged

[1.2 -> main] use debian's package snapshot repo for old buster packages needed in reproducible build #1843

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7161377
use debian's package snapshot repo for old buster
spoonincode Aug 20, 2025
41b6fcb
include buster-updates when using snapshot repo
spoonincode Aug 21, 2025
0d5bb99
Merge pull request #1834 from AntelopeIO/bustersnapshot_12
spoonincode Aug 25, 2025
238a542
Merge remote-tracking branch 'spring/release/1.2' into HEAD
spoonincode Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions tools/reproducible.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,19 @@
# syntax=docker/dockerfile:1
# debian:buster on Sep 20 2023
FROM debian@sha256:d774a984460a74973e6ce4d1f87ab90f2818e41fcdd4802bcbdc4e0b67f9dadf AS builder
# debian:buster on Aug 20 2025 (tag from Jun 12, 2024)
FROM debian@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225 AS builder

# If enabling the snapshot repo below, this ought to be after the base image time from above.
# date -u -d @1695620708 = Mon Sep 25 05:45:08 AM UTC 2023
ENV SOURCE_DATE_EPOCH=1695620708
# date -u -d @1752331000 = Sat Jul 12 02:36:40 PM UTC 2025
ENV SOURCE_DATE_EPOCH=1752331000

# The snapshot repo is currently disabled due to poor performance. Re-eval in the future.
# When the package repo is signed, a message in the payload indicates the time when the repo becomes stale. This protection
# nominally exists to ensure older versions of the package repo which may contain defective packages aren't served in the far
# future. But in our case, we want this pinned package repo at any future date. So [check-valid-until=no] to disable this check.
##RUN <<EOF
##cat <<EOS > /etc/apt/sources.list
##deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster main
##deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster/updates main
##EOS
##EOF
RUN DATETIMESTR=$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ) && cat <<EOF > /etc/apt/sources.list
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${DATETIMESTR}/ buster main
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${DATETIMESTR}/ buster-updates main
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${DATETIMESTR}/ buster/updates main
EOF

RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y install build-essential \
file \
Expand Down