apko icon indicating copy to clipboard operation
apko copied to clipboard

Published 20 hours ago verified publisher icon chainguard-dev

Lock repos

Open kaniini opened this issue 2 years ago • 4 comments

A lock repo is a repository that contains all of the required artifacts needed to reproduce an apko image.

The theory of operation behind this is that a user could run a command like apko lock, which would:

  • resolve the dependencies
  • create an environment where apk fetch may be used
  • use apk fetch to fetch them
  • use apk index to index them

A user could then use apko publish ... --lock-repo whatever/ which would then generate a signing key on the fly, sign the index, and then use it in place of the configured repos in the YAML file.

This in theory would also solve #65.

kaniini avatar Apr 18 '22 19:04 kaniini

Kicking this back to v0.5 so we can take advantage of apk-tools 2.12.10 apk fetch --world feature.

kaniini avatar Jun 01 '22 14:06 kaniini

Postponing to v0.6.

kaniini avatar Jul 11 '22 16:07 kaniini

Will this enable hermetic builds?

amouat avatar Oct 24 '22 19:10 amouat

Any update on this issue? Would be great to have reproducible builds for using apko in prod.

katexochen avatar Jan 19 '23 14:01 katexochen