From e0f838a738ac2c966cfbe6685d1cc0e6266435ab Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 7 Jan 2020 16:55:51 -0800 Subject: [PATCH 1/2] Rewrite some bits of Debian image's "How It's Made" to clarify Per some feedback from Holger [1], I took the opportunity to rewrite/rephrase some of this to try and make it more clear how to reproduce the Debian tarballs with the `debuerreotype` tool, specifically around where to look to get the information required (timestamp, etc) to do so. [1]: https://lists.reproducible-builds.org/pipermail/rb-general/2020-January/001779.html --- debian/content.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/content.md b/debian/content.md index 10a8bea4b..c43f7ce71 100644 --- a/debian/content.md +++ b/debian/content.md @@ -30,6 +30,6 @@ ENV LANG en_US.utf8 ## How It's Made -The rootfs tarballs for this image are built using [the reproducible-Debian-rootfs tool, `debuerreotype`](https://github.com/debuerreotype/debuerreotype), with an explicit goal being that they are transparent and reproducible. Using the same toolchain, it should be possible to regenerate (clean-room!) the same tarballs used for building the official Debian images. +The rootfs tarballs for this image are built using [the reproducible-Debian-rootfs tool, `debuerreotype`](https://github.com/debuerreotype/debuerreotype), with an explicit goal being that they are transparent and reproducible. Using the same toolchain, it should be possible to regenerate (clean-room!) the same tarballs used for building the official Debian images. [The `build.sh` script in that debuerreotype repository](https://github.com/debuerreotype/debuerreotype/blob/master/build.sh) (and the `build-all.sh` companion/wrapper) is the canonical entrypoint used for creating the artifacts published in this image. -Additionally, the scripts in [%%GITHUB-REPO%%](%%GITHUB-REPO%%) are used to create each tag's `Dockerfile` and collect architecture-specific tarballs into a single place (for placement into [`dist-ARCH` branches on the same repository](%%GITHUB-REPO%%/branches), which also contain extra metadata about the artifacts included in each build, such as explicit package versions). +Additionally, the scripts in [%%GITHUB-REPO%%](%%GITHUB-REPO%%) are used to create each tag's `Dockerfile` and collect architecture-specific tarballs into [`dist-ARCH` branches on the same repository](%%GITHUB-REPO%%/branches), which also contain extra metadata about the artifacts included in each build, such as explicit package versions included in the base image (`rootfs.manifest`), the exact snapshot.debian.org timestamp used for `debuerreotype` invocation (`rootfs.debuerreotype-epoch`), the `sources.list` found in the image (`rootfs.sources-list`) and the one used during image creation (`rootfs.sources-list-snapshot`), etc. From 5c33b674d2516b617c72fe4f94ae85b2bea33d24 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 31 Jan 2020 10:35:38 -0800 Subject: [PATCH 2/2] Add a reference to the newly-created docker.debian.net --- debian/content.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/content.md b/debian/content.md index c43f7ce71..d44e4633b 100644 --- a/debian/content.md +++ b/debian/content.md @@ -33,3 +33,5 @@ ENV LANG en_US.utf8 The rootfs tarballs for this image are built using [the reproducible-Debian-rootfs tool, `debuerreotype`](https://github.com/debuerreotype/debuerreotype), with an explicit goal being that they are transparent and reproducible. Using the same toolchain, it should be possible to regenerate (clean-room!) the same tarballs used for building the official Debian images. [The `build.sh` script in that debuerreotype repository](https://github.com/debuerreotype/debuerreotype/blob/master/build.sh) (and the `build-all.sh` companion/wrapper) is the canonical entrypoint used for creating the artifacts published in this image. Additionally, the scripts in [%%GITHUB-REPO%%](%%GITHUB-REPO%%) are used to create each tag's `Dockerfile` and collect architecture-specific tarballs into [`dist-ARCH` branches on the same repository](%%GITHUB-REPO%%/branches), which also contain extra metadata about the artifacts included in each build, such as explicit package versions included in the base image (`rootfs.manifest`), the exact snapshot.debian.org timestamp used for `debuerreotype` invocation (`rootfs.debuerreotype-epoch`), the `sources.list` found in the image (`rootfs.sources-list`) and the one used during image creation (`rootfs.sources-list-snapshot`), etc. + +For convenience, the SHA256 checksum (and full build command) for each of the primary `rootfs.tar.xz` artifacts are also published at [docker.debian.net](https://docker.debian.net/).