|
|
|
|
|
|
by distrustryan
405 days ago
|
|
|
that Rust example is gonna bite us in the ass until the day i die, i need to remove it. The Keyfork project is probably the best example of how an _actual_ Rust project is developed and shipped with stagex (disclaimer, I'm a maintainer of both). Actual Rust programs are built using the following steps: 1. Before building, the stagex tooling downloads and verifies a hash-locked version of the source package
* Additionally, all dependencies for the package (compilers _and_ linked libraries) are verified to have been built.
2. Packages and pallets (collections of packages) are unpacked `FROM scratch` into a bare container
3. `cargo fetch --locked` is then invoked to fetch all the dependencies.
4. `RUN --network=none` is used when compiling the actual binary to ensure no network access happens _after_ the `cargo fetch` stage. Admittedly, it is not ideal to allow turning network access on and off throughout a build, but `--network=none` has helped us identify some odd cases where network access _does_ happen.
5. Once the binary is built, the binary is added on top of the base "filesystem" package, and is considered "done". Unless some source file gets completely yoinked off the internet (which has happened, and we've had to "rebuild the world" because of it), every stagex package should be 100% bit-for-bit reproducible even if run several years down the line. There may be some cases where we miss a datestamp or something similar, but hopefully as time goes on, we get the infrastructure to mock system times and throw other wrenches to test how reproducible these packages really are. |
|
|
I'm definitely biased as a person who works on Nix stuff but I am not an absolutist when it comes to any of these things, based on what I'm reading about it I'd happily rely on StageX if I wanted reproducible OCI builds (and didn't feel like using Nix to do it, which has plenty of complexities on its own as nice as it can be.)