{"id":17310593,"url":"https://github.com/kpcyrd/repro-env","last_synced_at":"2025-10-03T23:07:18.931Z","repository":{"id":179278202,"uuid":"658807868","full_name":"kpcyrd/repro-env","owner":"kpcyrd","description":"Dependency lockfiles for reproducible build environments 📦🔒","archived":false,"fork":false,"pushed_at":"2025-04-18T09:15:59.000Z","size":427,"stargazers_count":46,"open_issues_count":2,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-08-23T18:09:24.409Z","etag":null,"topics":["release-engineering","reproducible-builds","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpcyrd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["kpcyrd"]}},"created_at":"2023-06-26T14:28:06.000Z","updated_at":"2025-07-11T20:49:57.000Z","dependencies_parsed_at":"2024-07-30T15:42:55.171Z","dependency_job_id":"666e38cd-117e-4b7f-adb8-a60cccb760ec","html_url":"https://github.com/kpcyrd/repro-env","commit_stats":null,"previous_names":["kpcyrd/repro-env"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/kpcyrd/repro-env","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frepro-env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frepro-env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frepro-env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frepro-env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpcyrd","download_url":"https://codeload.github.com/kpcyrd/repro-env/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frepro-env/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278239978,"owners_count":25954098,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-03T02:00:06.070Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["release-engineering","reproducible-builds","supply-chain-security"],"created_at":"2024-10-15T12:37:47.064Z","updated_at":"2025-10-03T23:07:18.915Z","avatar_url":"https://github.com/kpcyrd.png","language":"Rust","funding_links":["https://github.com/sponsors/kpcyrd"],"categories":[],"sub_categories":[],"readme":"# repro-env\n\nImagine you had a tool that takes a config like this:\n\n```toml\n# repro-env.toml\n[container]\nimage = \"rust:1-alpine3.18\"\n```\n\nand turns it into something like this:\n\n```toml\n# repro-env.lock\n[container]\nimage = \"rust@sha256:22760a18d52be83a74f5df8b190b8e9baa1e6ce7d9bda40630acc8ba5328a2fd\"\n```\n\nYou commit both into your git repository to document:\n\n- **repro-env.toml**: which container image tag you intend to follow (think `Cargo.toml`)\n- **repro-env.lock**: which specific image you use for your release build (think `Cargo.lock`)\n\nThe .lock file is auto-generated and can be refreshed with a simple command:\n\n```\nrepro-env update\n```\n\nThe build is executed in a user-namespace with **podman** (make sure it's installed), the current directory is mounted to `/build/` and a given command is executed inside of that directory:\n\n```\nrepro-env build -- cargo build\n```\n\nWe want to distribute our binary without having to worry about system libraries, so we ask cargo to create static binaries (also enable release optimizations):\n\n```\nrepro-env build -- cargo build --release --target x86_64-unknown-linux-musl\n```\n\nThis way we also ensure a different build folder is used (`target/x86_64-unknown-linux-musl` instead of `target/`) so our normal development doesn't interfere.\n\nThe final executable is available at this location:\n\n```\n./target/x86_64-unknown-linux-musl/release/repro-env --help\n```\n\n## Download\n\n- [repro-env x86_64 statically linked](https://github.com/kpcyrd/repro-env/releases/download/v0.4.3/repro-env) (sha256: `2a00b21ac5e990e0c6a0ccbf3b91e34a073660d1f4553b5f3cda2b09cc4d4d8a`)\n\n[![](https://repology.org/badge/vertical-allrepos/repro-env.svg)](https://repology.org/project/repro-env/versions)\n\nWith github actions:\n\n```yaml\n- name: Install repro-env\n  run: |\n    wget 'https://github.com/kpcyrd/repro-env/releases/download/v0.4.3/repro-env'\n    echo '2a00b21ac5e990e0c6a0ccbf3b91e34a073660d1f4553b5f3cda2b09cc4d4d8a  repro-env' | sha256sum -c -\n    sudo install -m755 repro-env -t /usr/bin\n```\n\nWith github actions (\u003e= Ubuntu 24.04):\n\n```yaml\n- name: Install repro-env\n  run: sudo apt-get install -y repro-env\n```\n\n## Integrations\n\n| Package integration                    | Status | Archive infrastructure |\n| -------------------------------------- | ------ | ---------------------- |\n| [Arch Linux](#packages-arch-linux)     | ✅ Fully supported, no known issues | ✅ Superb, operated by Arch Linux |\n| [Debian](#packages-debian)             | ✅ No known issues | ✅ Superb, operated by Debian |\n| [Alpine Linux](#packages-alpine-linux) | ✅ No known issues | ❌ No public archive, links are likely to become 404 |\n\n## Packages: Arch Linux\n\nArch Linux hosts a comprehensive collection of recent compilers at https://archive.archlinux.org. You can create a `[packages]` section in your **repro-env.toml** with `system = \"archlinux\"` to install additional packages with pacman.\n\n```toml\n# repro-env.toml\n[container]\nimage = \"docker.io/library/archlinux\"\n\n[packages]\nsystem = \"archlinux\"\ndependencies = [\"rust-musl\", \"lua\"]\n```\n\nThe resolved **repro-env.lock** is going to contain the sha256 of the resolved container image you use as a base, and a list of `[[package]]` that should be installed/upgraded inside of the container before starting the build.\n\n```toml\n# repro-env.lock\n[container]\nimage = \"docker.io/library/archlinux@sha256:6568d3f1f278827a4a7d8537f80c2ae36982829a0c6bccff4cec081774025472\"\n\n# [...]\n\n[[package]]\nname = \"rust\"\nversion = \"1:1.69.0-3\"\nsystem = \"archlinux\"\nurl = \"https://archive.archlinux.org/packages/r/rust/rust-1%3A1.69.0-3-x86_64.pkg.tar.zst\"\nsha256 = \"b8eb31a2eb80efab27bb68beab80436ed3e1d235a217c3e24ba973936c95839e\"\nsignature = \"iIsEABYIADMWIQQGaHodnU+rCLUP2Ss7lKgOUKR3xwUCZExVKBUcaGVmdGlnQGFyY2hsaW51eC5vcmcACgkQO5SoDlCkd8fQkAD6AudRi2qP3WxSn38OOkSRSITciqRevPaVJgrz03JUBEAA/12h9z8dReD07Lqnltx9QTa3Cxppbv7VpJlTCQuavoMG\"\n\n[[package]]\nname = \"rust-musl\"\nversion = \"1:1.69.0-3\"\nsystem = \"archlinux\"\nurl = \"https://archive.archlinux.org/packages/r/rust-musl/rust-musl-1%3A1.69.0-3-x86_64.pkg.tar.zst\"\nsha256 = \"5a4854cdac8312dbf72fb87795bcc36bfb34e9218944966e5ac2e62319bbcf22\"\nsignature = \"iIsEABYIADMWIQQGaHodnU+rCLUP2Ss7lKgOUKR3xwUCZExVKRUcaGVmdGlnQGFyY2hsaW51eC5vcmcACgkQO5SoDlCkd8cCMQD/W59RkOVPZDXlnmyY27jW61GC86hXOkSLOKa7XMQtpBoBALSugCkG1clSo/EQDbnuS+UY3268HNBvz6mF6i/hhEsB\"\n```\n\n## Packages: Debian\n\nDebian is a widely accepted choice and hosts an archive of all their packages at https://snapshot.debian.org/. You can create a `[packages]` section in your **repro-env.toml** with `system = \"debian\"` to install additional packages with apt-get.\n\n```toml\n# repro-env.toml\n[container]\nimage = \"debian:bookworm\"\n\n[packages]\nsystem = \"debian\"\ndependencies = [\"gcc\", \"libc6-dev\"]\n```\n\nNote this only works with **official** debian packages (not ubuntu).\n\nThe resolved **repro-env.lock** is going to contain the sha256 of the resolved container image you use as a base, and a list of `[[package]]` that should be installed/upgraded inside of the container before starting the build.\n\n```toml\n# repro-env.lock\n[container]\nimage = \"debian@sha256:3d868b5eb908155f3784317b3dda2941df87bbbbaa4608f84881de66d9bb297b\"\n\n[[package]]\nname = \"binutils\"\nversion = \"2.40-2\"\nsystem = \"debian\"\nurl = \"https://snapshot.debian.org/archive/debian/20230115T211934Z/pool/main/b/binutils/binutils_2.40-2_amd64.deb\"\nsha256 = \"83c3e20b53e1fbd84d764c3ba27d26a0376e361ae5d7fb37120196934dd87424\"\n\n[[package]]\nname = \"binutils-common\"\nversion = \"2.40-2\"\nsystem = \"debian\"\nurl = \"https://snapshot.debian.org/archive/debian/20230115T211934Z/pool/main/b/binutils/binutils-common_2.40-2_amd64.deb\"\nsha256 = \"ab314134f43a0891a48f69a9bc33d825da748fa5e0ba2bebb7a5c491b026f1a0\"\n\n# [...]\n```\n\n## Packages: Alpine Linux\n\nAlpine is very popular in the container world, based on musl libc and has a wide selection of compilers in recent versions. You can create a `[packages]` section in your **repro-env.toml** with `system = \"alpine\"` to install additional packages with apk. Unfortunately there's currently no public archive of old Alpine packages, you should keep this in mind because your repro-env build environments **are likely to become uninstallable!**\n\n```toml\n# repro-env.toml\n[container]\nimage = \"docker.io/library/alpine\"\n\n[packages]\nsystem = \"alpine\"\ndependencies = [\"gcc\", \"make\", \"musl-dev\"]\n```\n\nThe resolved **repro-env.lock** is going to contain the sha256 of the resolved container image you use as a base, and a list of `[[package]]` that should be installed/upgraded inside of the container before starting the build.\n\n```toml\n# repro-env.lock\n[container]\nimage = \"docker.io/library/alpine@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978\"\n\n[[package]]\nname = \"binutils\"\nversion = \"2.40-r7\"\nsystem = \"alpine\"\nurl = \"https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/binutils-2.40-r7.apk\"\nsha256 = \"6b1bf117b8f0a15862b27ff77a412eaccf2e7d8048a9cc0e3903e44930547c80\"\n\n[[package]]\nname = \"busybox\"\nversion = \"1.36.1-r4\"\nsystem = \"alpine\"\nurl = \"https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/busybox-1.36.1-r4.apk\"\nsha256 = \"abccb59dd5b9e64b782bbfd97b08c79a2214cc53567fb334aa003815505a007f\"\n\n# [...]\n```\n\n## Bootstrapping\n\nThere are no inherent bootstrapping challenges, you can use any recent Rust compiler to build a working **repro-env** binary. This binary can then setup any other build environment (including it's own) and is able to build a bit-for-bit identical copy of the official release binaries hosted on github.\n\n## Reproducible Builds\n\nAll [pre-compiled binaries](https://github.com/kpcyrd/repro-env/releases) can be reproduced from source code:\n\n```sh\n% wget https://github.com/kpcyrd/repro-env/releases/download/v0.4.3/repro-env\n[...]\n% sha256sum repro-env\n2a00b21ac5e990e0c6a0ccbf3b91e34a073660d1f4553b5f3cda2b09cc4d4d8a  repro-env\n```\n\nSince the build environment is fully documented and tracked in git all we need is checkout the corresponding git tag and run `make`:\n\n```sh\n% git clone https://github.com/kpcyrd/repro-env\n% cd repro-env\n% git checkout v0.4.3\n% make\n% sha256sum target/x86_64-unknown-linux-musl/release/repro-env\n2a00b21ac5e990e0c6a0ccbf3b91e34a073660d1f4553b5f3cda2b09cc4d4d8a  target/x86_64-unknown-linux-musl/release/repro-env\n```\n\n## License\n\n`MIT OR Apache-2.0`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Frepro-env","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpcyrd%2Frepro-env","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Frepro-env/lists"}