Support reproducible builds (except packages)

See docker-library/official-images issue 16044

- `ARG SOURCE_DATE_EPOCH` is added.
  The argument value is consumed by the build scripts to make the `httpd` binary reproducible.

- GNU implementation of `wget` is executed with `--no-hsts` to disable creating `/root/.wget-hsts`

- For Debian, `/var/log/*` is removed as they contain timestamps

- For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc.

- For Alpine, virtual package versions are pinned to "0" to eliminate
  the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed`

The following topics are NOT covered by this commit:

- To reproduce file timestamps in layers, BuildKit has to be executed with
  `--output type=<TYPE>,rewrite-timestamp=true`.
  Needs BuildKit v0.13.0-beta1 or later.

- To reproduce the base image by the hash, reproducers may:
  - modify the `FROM` instruction in Dockerfile manually
  - or, use the `CONVERT` action of source policies to replace the base image.
    <https://github.com/moby/buildkit/blob/v0.13.0-beta1/docs/build-repro.md>

- To reproduce Debian packages, reproducers may:
  - modify the `RUN` instructions in the Dockerfile to rewrite `/etc/apt/sources.list`
    to use <http://snapshot.debian.org>, and restore `/etc/apt/sources.list`
    at the end of the instruction (See the rejected PR 248)
  - or, specify a custom Dockerfile frontend implementation that
    rewrites/restores `/etc/apt/sources.list`
  - or, specify a custom `HTTP_PROXY` that redirects HTTP requests for
    <http://deb.debian.org> to <http://snapshot.debian.org>.
    This is less reliable in long-term due to `Acquire::Check-Valid-Until`.

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

2.4/Dockerfile

@@ -1,5 +1,8 @@
 FROM debian:bookworm-slim
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 #RUN groupadd -r www-data && useradd -r --create-home -g www-data www-data
 
@@ -20,7 +23,9 @@ RUN set -eux; \
 # https://github.com/docker-library/httpd/issues/209
 		libldap-common \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/* ; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 ENV HTTPD_VERSION 2.4.59
 ENV HTTPD_SHA256 ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323
@@ -68,7 +73,7 @@ RUN set -eux; \
 # if the version is outdated, we have to pull from the archive
 			https://archive.apache.org/dist/ \
 		; do \
-			if wget -O "$f" "$distUrl$distFile" && [ -s "$f" ]; then \
+			if wget --no-hsts -O "$f" "$distUrl$distFile" && [ -s "$f" ]; then \
 				success=1; \
 				break; \
 			fi; \
@@ -170,7 +175,7 @@ RUN set -eux; \
 			local patchSha256="$1"; shift; \
 			ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \
 			echo "$patchSha256 *$patchFile" | sha256sum -c -; \
-			patch -p0 < "$patchFile"; \
+			patch --set-utc --force -p0 < "$patchFile"; \
 			rm -f "$patchFile"; \
 		done; \
 	}; \
@@ -180,6 +185,10 @@ RUN set -eux; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; \
 	CPPFLAGS="$(dpkg-buildflags --get CPPFLAGS)"; \
 	LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; \
+	SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	./configure \
 		--build="$gnuArch" \
 		--prefix="$HTTPD_PREFIX" \
@@ -225,7 +234,9 @@ RUN set -eux; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 # smoke test
-	httpd -v
+	httpd -v; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
 STOPSIGNAL SIGWINCH

2.4/alpine/Dockerfile

@@ -1,5 +1,8 @@
 FROM alpine:3.20
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 # ensure www-data user exists
 RUN set -x \
 	&& adduser -u 82 -D -S -G www-data www-data
@@ -35,7 +38,7 @@ ENV HTTPD_PATCHES=""
 # see https://httpd.apache.org/docs/2.4/install.html#requirements
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		apr-dev \
 		apr-util-dev \
 		coreutils \
@@ -181,13 +184,17 @@ RUN set -eux; \
 			local patchSha256="$1"; shift; \
 			ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \
 			echo "$patchSha256 *$patchFile" | sha256sum -c -; \
-			patch -p0 < "$patchFile"; \
+			patch --set-utc --force -p0 < "$patchFile"; \
 			rm -f "$patchFile"; \
 		done; \
 	}; \
 	patches $HTTPD_PATCHES; \
 	\
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+	SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	./configure \
 		--build="$gnuArch" \
 		--prefix="$HTTPD_PREFIX" \
@@ -219,7 +226,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .httpd-so-deps $deps; \
+	apk add --no-network --virtual .httpd-so-deps=0 $deps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test