Arch Linux now has a bit-for-bit reproducible Docker image

76 points by Foxboron

pbsds

Congratulations!

miro

Great job everyone!

sammko

What's the bootstrap starting point for this? Checking the docs, it assumes a running Arch installation, does it then assemble binary packages from the repositories into a docker image?

I'm struggling to understand the purpose of this. If I trust the Archlinux maintainers I don't have to bother with this, I can just check a signature. If I don't trust the Archlinux maintainers, I can't trust the repositories nor the host installation I'm doing this under.

Foxboron

I'm struggling to understand the purpose of this. If I trust the Archlinux maintainers I don't have to bother with this, I can just check a signature. If I don't trust the Archlinux maintainers, I can't trust the repositories nor the host installation I'm doing this under.

What if you don't trust docker hub and want to validate the image you are getting from them? Or any container registry for that matter.
- sammko
  
  Surely Arch could publish image hashes or signatures on the website
  - Foxboron
    
    Could we omit the signature if multiple parties can bit-for-bit reproduce the artifact independently?
- cmcaine
  
  It means the maintainers can have some buildbot make the images, and the maintainers don't have to have absolute trust in whoever made the image.