Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new command: rebuild #1784

Merged
merged 4 commits into from
Feb 13, 2025
Merged

new command: rebuild #1784

merged 4 commits into from
Feb 13, 2025

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented Feb 12, 2025
edited
Loading

This adds a new top-level command, melange rebuild, which takes an existing APK (or multiple), and extracts the .melange.yaml and .PKGINFO embedded in the control section, and uses it to build the package again from locked inputs.

The intention is that we would be able to tell whether package builds are reproducible when built with all the same config and versions of the tools that were originally used, and if they're not reproducible, how.

Initial tests are promising!

To rebuild our crane package:

$ go run ./ rebuild <(curl -sL https://apk.cgr.dev/chainguard/x86_64/crane-0.20.3-r2.apk)

Its crane binary has the same digest as the original package:

$ tar -Oxf x86_64/crane-0.20.3-r2.apk usr/bin/crane | sha256sum -                        
eaa2d9818a1889daf9fb8fba44e5dba3082a9d22e204e1ff34369fa5491416a4  -
$ curl -sL https://apk.cgr.dev/chainguard/x86_64/crane-0.20.3-r2.apk | tar -Ox usr/bin/crane | sha256sum -
eaa2d9818a1889daf9fb8fba44e5dba3082a9d22e204e1ff34369fa5491416a4  -

🎉

There are however some differences in the surrounding package metadata, which is either a TODO for rebuild or for how we embed stuff into .melange.yaml

$ diff \
  <(tar -Oxf x86_64/crane-0.20.3-r2.apk .melange.yaml) \
  <(curl -sL https://apk.cgr.dev/chainguard/x86_64/crane-0.20.3-r2.apk | tar -Ox .melange.yaml)
  • accounts block is moved around inexplicably
  • crane is added twice to the test package dependencies

File contents are also slightly different:

$ diff \
  <(tar -tvf x86_64/crane-0.20.3-r2.apk | sort) \
  <(curl -sL https://apk.cgr.dev/chainguard/x86_64/crane-0.20.3-r2.apk | tar -tv | sort)              
1d0
< -rw-r--r--  0 jason  dialout     3054 Feb  8 15:03 var/lib/db/sbom/crane-0.20.3-r2.spdx.json
3,10c2,10
< -rw-r--r--  0 root   root    12409 Feb  8 15:03 .melange.yaml
< -rwxr-xr-x  0 jason  dialout 11870488 Feb  8 15:03 usr/bin/crane
---
> -rw-r--r--  0 root   root     2936 Feb  8 15:03 var/lib/db/sbom/crane-0.20.3-r2.spdx.json
> -rw-r--r--  0 root   root    11827 Feb  8 15:03 .melange.yaml
> -rwxr-xr-x  0 root   root 11870488 Feb  8 15:03 usr/bin/crane
  • owner dialout probably because of docker runner vs bwrap
  • SBOM is different, probably due to missing metadata

To enable this, it's only a warning to include uses and with with a pipeline, since that's how we resolve the .melange.yaml.

@imjasonh
new command: rebuild
24b7a9c 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
fix lint finding
2836aa6 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
regen docs
4253bf8 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
fix unit test
95693d1 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh imjasonh marked this pull request as ready for review February 13, 2025 18:23
@imjasonh imjasonh merged commit 8b06ac5 into chainguard-dev:main Feb 13, 2025
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonjohnsonjr jonjohnsonjr jonjohnsonjr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@imjasonh @jonjohnsonjr