Merge f019ce05d6 into 1298e9c398

dev_scripts/reproduce.py

@@ -25,6 +25,7 @@ def run(*args):
         args,
         check=True,
         stdout=subprocess.PIPE,
+        # stderr=subprocess.PIPE
     ).stdout
 
 
@@ -39,27 +40,15 @@ def git_verify(commit, source):
         )
 
 
-def diffoci_hash_matches(diffoci):
-    """Check if the hash of the downloaded diffoci bin matches the expected one."""
-    m = hashlib.sha256()
-    m.update(DIFFOCI_PATH.open().read())
-    diffoci_checksum = m.hexdigest()
-    return diffoci_checksum == DIFFOCI_CHECKSUM
-
-
-def diffoci_exists():
-    """Check if the diffoci helper exists, and if the hash matches."""
-    if not DIFFOCI_PATH.exists():
-        return False
-    return diffoci_hash_matches(DIFFOCI_PATH.open().read())
-
-
 def diffoci_download():
     """Download the diffoci tool, based on a URL and its checksum."""
     with urllib.request.urlopen(DIFFOCI_URL) as f:
         diffoci_bin = f.read()
 
-    if not diffoci_hash_matches(diffoci_bin):
+    m = hashlib.sha256()
+    m.update(diffoci_bin)
+    diffoci_checksum = m.hexdigest()
+    if not diffoci_checksum == DIFFOCI_CHECKSUM:
         raise ValueError(
             "Unexpected checksum for downloaded diffoci binary:"
             f" {diffoci_checksum} !={DIFFOCI_CHECKSUM}"
@@ -134,7 +123,7 @@ def main():
     commit = git_commit_get()
     git_verify(commit, args.source)
 
-    if diffoci_exists():
+    if not DIFFOCI_PATH.exists():
         logger.info(f"Downloading diffoci helper from {DIFFOCI_URL}")
         diffoci_download()
 

docs/developer/reproducibility.md

@@ -92,7 +92,7 @@ Here are a few other obstacles that we need to overcome:
 ### Updating the image
 
 The fact that our image is reproducible also means that it's frozen in time.
-This means that rebuilding the image without updating our Dockerfile will **not**
+This means that rebuilding the image without updating our Dockerfile will not
 receive security updates.
 
 We list the necessary variables that make up our image in the `Dockerfile.env`
@@ -103,7 +103,7 @@ file. These are:
 * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin
 * `H2ORESTART_VERSION`: The version of the H2ORestart plugin
 
-If you update these values in `Dockerfile.env`, you can create a new Dockerfile
+If you bump these values in `Dockerfile.env`, you can create a new Dockerfile
 with:
 
 ```
@@ -113,9 +113,8 @@ poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile
 ### Reproducing the image
 
 For a simple way to reproduce a Dangerzone container image, either local or
-pushed to a container registry, you can checkout the commit this image was built
+pushed to a container registry, you can run the following command in a Linux
-from (you can find it from the image tag in its `g<commit>` portion), and run
+environment:
-the following command in a Linux environment:
 
 ```
 ./dev_scripts/reproduce.py <image>

install/common/build-image.py

@@ -27,29 +27,6 @@ def str2bool(v):
         raise argparse.ArgumentTypeError("Boolean value expected.")
 
 
-def determine_tag():
-    # Designate a unique tag for this image, depending on the Git commit it was created
-    # from:
-    # 1. If created from a Git tag (e.g., 0.8.0), the image tag will be `0.8.0`.
-    # 2. If created from a commit, it will be something like `0.8.0-31-g6bdaa7a`.
-    # 3. If the contents of the Git repo are dirty, we will append a unique identifier
-    #    for this run, something like `0.8.0-31-g6bdaa7a-fdcb` or `0.8.0-fdcb`.
-    dirty_ident = secrets.token_hex(2)
-    return (
-        subprocess.check_output(
-            [
-                "git",
-                "describe",
-                "--long",
-                "--first-parent",
-                f"--dirty=-{dirty_ident}",
-            ],
-        )
-        .decode()
-        .strip()[1:]  # remove the "v" prefix of the tag.
-    )
-
-
 def main():
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -90,7 +67,30 @@ def main():
 
     print(f"Building for architecture '{ARCH}'")
 
-    tag = args.tag or determine_tag()
+    if args.tag:
+        tag = args.tag
+    else:
+        # Designate a unique tag for this image, depending on the Git commit it was created
+        # from:
+        # 1. If created from a Git tag (e.g., 0.8.0), the image tag will be `0.8.0`.
+        # 2. If created from a commit, it will be something like `0.8.0-31-g6bdaa7a`.
+        # 3. If the contents of the Git repo are dirty, we will append a unique identifier
+        #    for this run, something like `0.8.0-31-g6bdaa7a-fdcb` or `0.8.0-fdcb`.
+        dirty_ident = secrets.token_hex(2)
+        tag = (
+            subprocess.check_output(
+                [
+                    "git",
+                    "describe",
+                    "--long",
+                    "--first-parent",
+                    f"--dirty=-{dirty_ident}",
+                ],
+            )
+            .decode()
+            .strip()[1:]  # remove the "v" prefix of the tag.
+        )
+
     image_name_tagged = IMAGE_NAME + ":" + tag
 
     print(f"Will tag the container image as '{image_name_tagged}'")