diff --git a/3.1/alpine3.19/Dockerfile b/3.1/alpine3.19/Dockerfile index ab93cb527..6ade74235 100644 --- a/3.1/alpine3.19/Dockerfile +++ b/3.1/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +83,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +121,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/alpine3.20/Dockerfile b/3.1/alpine3.20/Dockerfile index 7b0a19ee4..8f43e2a67 100644 --- a/3.1/alpine3.20/Dockerfile +++ b/3.1/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +83,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +121,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/bookworm/Dockerfile b/3.1/bookworm/Dockerfile index 321119217..38a1e938a 100644 --- a/3.1/bookworm/Dockerfile +++ b/3.1/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +50,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +84,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/bullseye/Dockerfile b/3.1/bullseye/Dockerfile index 245e907ba..7aff2c24f 100644 --- a/3.1/bullseye/Dockerfile +++ b/3.1/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +50,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +84,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bookworm/Dockerfile b/3.1/slim-bookworm/Dockerfile index 6d83ac067..9a1f05496 100644 --- a/3.1/slim-bookworm/Dockerfile +++ b/3.1/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +79,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +113,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bullseye/Dockerfile b/3.1/slim-bullseye/Dockerfile index 22a77ef17..156f4804b 100644 --- a/3.1/slim-bullseye/Dockerfile +++ b/3.1/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +79,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +113,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/alpine3.19/Dockerfile b/3.2/alpine3.19/Dockerfile index 745c0e4dc..53031b6ef 100644 --- a/3.2/alpine3.19/Dockerfile +++ b/3.2/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 7780d91130139406d39b29ed8fe16bba350d8fa00e510c76bef9b8e # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +105,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +145,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/alpine3.20/Dockerfile b/3.2/alpine3.20/Dockerfile index 7cda9dd6a..31ba83392 100644 --- a/3.2/alpine3.20/Dockerfile +++ b/3.2/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 7780d91130139406d39b29ed8fe16bba350d8fa00e510c76bef9b8e # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +105,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +145,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/bookworm/Dockerfile b/3.2/bookworm/Dockerfile index c6fb3f5bc..faede9572 100644 --- a/3.2/bookworm/Dockerfile +++ b/3.2/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +72,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +108,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/bullseye/Dockerfile b/3.2/bullseye/Dockerfile index 5139f2d1b..1c08bca63 100644 --- a/3.2/bullseye/Dockerfile +++ b/3.2/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +72,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +108,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bookworm/Dockerfile b/3.2/slim-bookworm/Dockerfile index 5e0a6d70c..eadfbfff1 100644 --- a/3.2/slim-bookworm/Dockerfile +++ b/3.2/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +101,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +137,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bullseye/Dockerfile b/3.2/slim-bullseye/Dockerfile index 9cd869858..4589fd694 100644 --- a/3.2/slim-bullseye/Dockerfile +++ b/3.2/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +101,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +137,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/alpine3.19/Dockerfile b/3.3/alpine3.19/Dockerfile index 773faebcc..52d53de2e 100644 --- a/3.3/alpine3.19/Dockerfile +++ b/3.3/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 51aec7ea89b46125a2c9adc6f36766b65023d47952b916b1aed300d # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/alpine3.20/Dockerfile b/3.3/alpine3.20/Dockerfile index efdb58097..27be424a0 100644 --- a/3.3/alpine3.20/Dockerfile +++ b/3.3/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 51aec7ea89b46125a2c9adc6f36766b65023d47952b916b1aed300d # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/bookworm/Dockerfile b/3.3/bookworm/Dockerfile index 5978b00a7..0540e14d2 100644 --- a/3.3/bookworm/Dockerfile +++ b/3.3/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/bullseye/Dockerfile b/3.3/bullseye/Dockerfile index 32baf57c8..a1df17464 100644 --- a/3.3/bullseye/Dockerfile +++ b/3.3/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bookworm/Dockerfile b/3.3/slim-bookworm/Dockerfile index caa2856ab..b226e12ca 100644 --- a/3.3/slim-bookworm/Dockerfile +++ b/3.3/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bullseye/Dockerfile b/3.3/slim-bullseye/Dockerfile index 33c527a4f..0c2ddb9b0 100644 --- a/3.3/slim-bullseye/Dockerfile +++ b/3.3/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/alpine3.19/Dockerfile b/3.4-rc/alpine3.19/Dockerfile index 31c122366..0cd3cbfa4 100644 --- a/3.4-rc/alpine3.19/Dockerfile +++ b/3.4-rc/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 626bf4fe952323c15ec9a8999f470ec136ef91c0fc34c484646aaaa # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/alpine3.20/Dockerfile b/3.4-rc/alpine3.20/Dockerfile index f5069fcf5..52f33260c 100644 --- a/3.4-rc/alpine3.20/Dockerfile +++ b/3.4-rc/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 626bf4fe952323c15ec9a8999f470ec136ef91c0fc34c484646aaaa # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/bookworm/Dockerfile b/3.4-rc/bookworm/Dockerfile index 2b05b5929..1f24434de 100644 --- a/3.4-rc/bookworm/Dockerfile +++ b/3.4-rc/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/bullseye/Dockerfile b/3.4-rc/bullseye/Dockerfile index 77f24fe45..106f53e5d 100644 --- a/3.4-rc/bullseye/Dockerfile +++ b/3.4-rc/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bookworm/Dockerfile b/3.4-rc/slim-bookworm/Dockerfile index b1244cda9..94a6220d1 100644 --- a/3.4-rc/slim-bookworm/Dockerfile +++ b/3.4-rc/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bullseye/Dockerfile b/3.4-rc/slim-bullseye/Dockerfile index 67435a941..a35af4880 100644 --- a/3.4-rc/slim-bullseye/Dockerfile +++ b/3.4-rc/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/Dockerfile.template b/Dockerfile.template index c5ceed1ca..1328fa3a8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -13,6 +13,10 @@ FROM debian:{{ env.variant | ltrimstr("slim-") }}-slim FROM buildpack-deps:{{ env.variant }} {{ ) end -}} +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + {{ if is_alpine then ( -}} RUN set -eux; \ apk add --no-cache \ @@ -38,7 +42,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache {{ ) else "" end -}} # skip installing gem documentation @@ -61,7 +67,7 @@ ENV RUBY_DOWNLOAD_SHA256 {{ .sha256.xz }} RUN set -eux; \ \ {{ if is_alpine then ( -}} - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ {{ if env.version | rtrimstr("-rc") | IN("3.1", "3.2") then ( -}} {{ # https://github.com/docker-library/ruby/pull/438 -}} @@ -126,6 +132,8 @@ RUN set -eux; \ {{ ) else "" end -}} ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} {{ if .rust.version then ( -}} \ @@ -210,15 +218,20 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ {{ ) else "" end -}} + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -251,7 +264,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ {{ ) else ( -}} apt-mark auto '.*' > /dev/null; \ @@ -265,6 +278,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} \ cd /; \