From 770cbeaa275a2c54d6d7deb58bdbcbef37c732b5 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 2 May 2024 15:35:36 +0900 Subject: [PATCH] Support reproducible builds (except packages) See docker-library/official-images issue 16044 - `ARG SOURCE_DATE_EPOCH` is added. The argument value is consumed by the build scripts to make the binary reproducible. - For Debian, `/var/log/*` is removed as they contain timestamps - For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc. - For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed` > [!NOTE] > The following topics are NOT covered by this commit: > > - To reproduce file timestamps in layers, BuildKit has to be executed with > `--output type=,rewrite-timestamp=true`. > Needs BuildKit v0.13 or later. > > - To reproduce the base image by the hash, reproducers may: > - modify the `FROM` instruction in Dockerfile manually > - or, use the `CONVERT` action of source policies to replace the base image. > > > - To reproduce packages, see the `RUN` instruction hook proposed in > moby/buildkit issue 4576 Also, Alpine-based images still have the following diff: ```diff diff -ur /tmp/foo/diff/input-0/layers-3/lib/apk/db/installed /tmp/foo/diff/input-1/layers-3/lib/apk/db/installed --- /tmp/foo/diff/input-0/layers-3/lib/apk/db/installed 2024-04-26 07:07:33.000000000 +0900 +++ /tmp/foo/diff/input-1/layers-3/lib/apk/db/installed 2024-04-26 07:07:33.000000000 +0900 @@ -1,4 +1,4 @@ -C:Q1z4Lv7mwS00FpNJwDUHdH70eM2ic= +C:Q1gHSJHNX/rtq0yNsVTKaNb96s8Mk= P:.ruby-rundeps V:0 A:noarch ``` Signed-off-by: Akihiro Suda --- 3.1/alpine3.19/Dockerfile | 14 +++++++++++--- 3.1/alpine3.20/Dockerfile | 14 +++++++++++--- 3.1/bookworm/Dockerfile | 11 +++++++++++ 3.1/bullseye/Dockerfile | 11 +++++++++++ 3.1/slim-bookworm/Dockerfile | 15 ++++++++++++++- 3.1/slim-bullseye/Dockerfile | 15 ++++++++++++++- 3.2/alpine3.19/Dockerfile | 14 +++++++++++--- 3.2/alpine3.20/Dockerfile | 14 +++++++++++--- 3.2/bookworm/Dockerfile | 11 +++++++++++ 3.2/bullseye/Dockerfile | 11 +++++++++++ 3.2/slim-bookworm/Dockerfile | 15 ++++++++++++++- 3.2/slim-bullseye/Dockerfile | 15 ++++++++++++++- 3.3/alpine3.19/Dockerfile | 14 +++++++++++--- 3.3/alpine3.20/Dockerfile | 14 +++++++++++--- 3.3/bookworm/Dockerfile | 11 +++++++++++ 3.3/bullseye/Dockerfile | 11 +++++++++++ 3.3/slim-bookworm/Dockerfile | 15 ++++++++++++++- 3.3/slim-bullseye/Dockerfile | 15 ++++++++++++++- 3.4-rc/alpine3.19/Dockerfile | 14 +++++++++++--- 3.4-rc/alpine3.20/Dockerfile | 14 +++++++++++--- 3.4-rc/bookworm/Dockerfile | 11 +++++++++++ 3.4-rc/bullseye/Dockerfile | 11 +++++++++++ 3.4-rc/slim-bookworm/Dockerfile | 15 ++++++++++++++- 3.4-rc/slim-bullseye/Dockerfile | 15 ++++++++++++++- Dockerfile.template | 22 ++++++++++++++++++---- 25 files changed, 306 insertions(+), 36 deletions(-) diff --git a/3.1/alpine3.19/Dockerfile b/3.1/alpine3.19/Dockerfile index b35693036..b4e66f585 100644 --- a/3.1/alpine3.19/Dockerfile +++ b/3.1/alpine3.19/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +82,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +120,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/alpine3.20/Dockerfile b/3.1/alpine3.20/Dockerfile index fd1ce5075..767777d12 100644 --- a/3.1/alpine3.20/Dockerfile +++ b/3.1/alpine3.20/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +82,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +120,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/bookworm/Dockerfile b/3.1/bookworm/Dockerfile index 384052911..47b98763e 100644 --- a/3.1/bookworm/Dockerfile +++ b/3.1/bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +49,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +83,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/bullseye/Dockerfile b/3.1/bullseye/Dockerfile index 8b6e39e87..9ced92694 100644 --- a/3.1/bullseye/Dockerfile +++ b/3.1/bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +49,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +83,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bookworm/Dockerfile b/3.1/slim-bookworm/Dockerfile index 626c5bab4..7fe309243 100644 --- a/3.1/slim-bookworm/Dockerfile +++ b/3.1/slim-bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +66,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +78,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +112,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bullseye/Dockerfile b/3.1/slim-bullseye/Dockerfile index 66594aec2..b33338b3c 100644 --- a/3.1/slim-bullseye/Dockerfile +++ b/3.1/slim-bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +66,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +78,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +112,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/alpine3.19/Dockerfile b/3.2/alpine3.19/Dockerfile index a8c92e9cf..0e09f3441 100644 --- a/3.2/alpine3.19/Dockerfile +++ b/3.2/alpine3.19/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 e7f1653d653232ec433472489a91afbc7433c9f760cc822defe7437 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +104,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +144,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/alpine3.20/Dockerfile b/3.2/alpine3.20/Dockerfile index acafda504..b71fa6e83 100644 --- a/3.2/alpine3.20/Dockerfile +++ b/3.2/alpine3.20/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 e7f1653d653232ec433472489a91afbc7433c9f760cc822defe7437 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +104,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +144,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/bookworm/Dockerfile b/3.2/bookworm/Dockerfile index 74ce1a0df..5f8fda3ee 100644 --- a/3.2/bookworm/Dockerfile +++ b/3.2/bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/bullseye/Dockerfile b/3.2/bullseye/Dockerfile index 2b070f6c2..e53aeaec8 100644 --- a/3.2/bullseye/Dockerfile +++ b/3.2/bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bookworm/Dockerfile b/3.2/slim-bookworm/Dockerfile index bf66d8db0..6b04d1637 100644 --- a/3.2/slim-bookworm/Dockerfile +++ b/3.2/slim-bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +66,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +100,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +136,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bullseye/Dockerfile b/3.2/slim-bullseye/Dockerfile index 23897b7fa..ac2095564 100644 --- a/3.2/slim-bullseye/Dockerfile +++ b/3.2/slim-bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +66,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +100,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +136,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/alpine3.19/Dockerfile b/3.3/alpine3.19/Dockerfile index 7e260e9f3..6584a2731 100644 --- a/3.3/alpine3.19/Dockerfile +++ b/3.3/alpine3.19/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 b5e8a8ed4a47cdd9a3358b5bdd998c37bd9e971ca63766a37d5ae59 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +102,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +142,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/alpine3.20/Dockerfile b/3.3/alpine3.20/Dockerfile index 87e5746f7..28e7e2bd5 100644 --- a/3.3/alpine3.20/Dockerfile +++ b/3.3/alpine3.20/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 b5e8a8ed4a47cdd9a3358b5bdd998c37bd9e971ca63766a37d5ae59 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +102,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +142,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/bookworm/Dockerfile b/3.3/bookworm/Dockerfile index 8f68b3132..519ef50e4 100644 --- a/3.3/bookworm/Dockerfile +++ b/3.3/bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +36,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +70,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +106,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/bullseye/Dockerfile b/3.3/bullseye/Dockerfile index 1a5c62143..9b5d2acdb 100644 --- a/3.3/bullseye/Dockerfile +++ b/3.3/bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +36,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +70,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +106,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bookworm/Dockerfile b/3.3/slim-bookworm/Dockerfile index ecb3ac6c4..8b061d41a 100644 --- a/3.3/slim-bookworm/Dockerfile +++ b/3.3/slim-bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +64,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +98,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +134,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bullseye/Dockerfile b/3.3/slim-bullseye/Dockerfile index 1a04eb133..e4affd666 100644 --- a/3.3/slim-bullseye/Dockerfile +++ b/3.3/slim-bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +64,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +98,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +134,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/alpine3.19/Dockerfile b/3.4-rc/alpine3.19/Dockerfile index 9eb48f142..c963b68b0 100644 --- a/3.4-rc/alpine3.19/Dockerfile +++ b/3.4-rc/alpine3.19/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 4ee4ec44366050d4b2ee1d88034cc63e0b9174a1a6650285777f3d3 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +102,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +142,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/alpine3.20/Dockerfile b/3.4-rc/alpine3.20/Dockerfile index 3417b89dc..496fa4270 100644 --- a/3.4-rc/alpine3.20/Dockerfile +++ b/3.4-rc/alpine3.20/Dockerfile @@ -6,6 +6,9 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +39,7 @@ ENV RUBY_DOWNLOAD_SHA256 4ee4ec44366050d4b2ee1d88034cc63e0b9174a1a6650285777f3d3 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +102,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +142,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/bookworm/Dockerfile b/3.4-rc/bookworm/Dockerfile index 4b736cbbf..a9ce06625 100644 --- a/3.4-rc/bookworm/Dockerfile +++ b/3.4-rc/bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +36,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +70,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +106,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/bullseye/Dockerfile b/3.4-rc/bullseye/Dockerfile index bc900b2d0..348ba0d1b 100644 --- a/3.4-rc/bullseye/Dockerfile +++ b/3.4-rc/bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +36,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +70,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +106,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bookworm/Dockerfile b/3.4-rc/slim-bookworm/Dockerfile index b74c10f52..bf44568fa 100644 --- a/3.4-rc/slim-bookworm/Dockerfile +++ b/3.4-rc/slim-bookworm/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +64,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +98,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +134,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bullseye/Dockerfile b/3.4-rc/slim-bullseye/Dockerfile index c7a484607..6386a6545 100644 --- a/3.4-rc/slim-bullseye/Dockerfile +++ b/3.4-rc/slim-bullseye/Dockerfile @@ -6,6 +6,9 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +21,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +64,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +98,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +134,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/Dockerfile.template b/Dockerfile.template index 66466f944..64f8d551d 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -13,6 +13,9 @@ FROM debian:{{ env.variant | ltrimstr("slim-") }}-slim FROM buildpack-deps:{{ env.variant }} {{ ) end -}} +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact +ARG SOURCE_DATE_EPOCH + {{ if is_alpine then ( -}} RUN set -eux; \ apk add --no-cache \ @@ -38,7 +41,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache {{ ) else "" end -}} # skip installing gem documentation @@ -61,7 +66,7 @@ ENV RUBY_DOWNLOAD_SHA256 {{ .sha256.xz }} RUN set -eux; \ \ {{ if is_alpine then ( -}} - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ {{ if [ "3.1", "3.2" ] | index(env.version | rtrimstr("-rc")) then ( -}} {{ # https://github.com/docker-library/ruby/pull/438 -}} @@ -126,6 +131,8 @@ RUN set -eux; \ {{ ) else "" end -}} ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} {{ if .rust.version then ( -}} \ @@ -210,15 +217,20 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ {{ ) else "" end -}} + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -251,7 +263,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ {{ ) else ( -}} apt-mark auto '.*' > /dev/null; \ @@ -265,6 +277,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} \ cd /; \