I am investigating reproducible builds and would like for that to end up with a script that sets up a constant VM image containing my build environment. For now, I'll put aside issues with timestamps and other sources of differences, so by "constant", I mean a reproducible environment. I am aware of the Debian ReproducibleBuilds effort, which puts a requirement on package versions to guarantee an identical build. I want something similar, but at the system level.
I started with Alpine, which lets me create a VM based on a specific release very easily.
How would I do the same for Debian, which provides for example stretch releases 9.0 to 9.4?
The best I could come up with so far was the following: I had a look at the release changelog, then used the closest snapshot as my package source for debootstrap.
$ wget -q -O- http://ftp.debian.org/debian/dists/stretch/ChangeLog | grep "Debian.*released"
Sat, 10 Mar 2018 - Debian 9.4 released
Sat, 09 Dec 2017 - Debian 9.3 released
Sat, 07 Oct 2017 - Debian 9.2 released
Sat, 22 Jul 2017 - Debian 9.1 released
Sat, 17 Jun 2017 - Debian 9.0 released
$ # Looking at release 9.2
$ wget -q -O- "http://snapshot.debian.org/archive/debian/?year=2017&month=10" | html2text | sed -e 's/[:-]//g' -e 's/_/T/g' | awk '/20171007/ {print "http://snapshot.debian.org/archive/debian/"$1"Z/"}'
http://snapshot.debian.org/archive/debian/20171007T032909Z/
http://snapshot.debian.org/archive/debian/20171007T103908Z/
http://snapshot.debian.org/archive/debian/20171007T213914Z/
$ mkdir -p chroot_stretch_20171007T103908Z
$ sudo debootstrap --arch=amd64 --variant=minbase stretch chroot_stretch_20171007T103908Z http://snapshot.debian.org/archive/debian/20171007T103908Z/
I: Retrieving InRelease
I: Retrieving Release
I: Retrieving Release.gpg
I: Checking Release signature
I: Valid Release signature (key id 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500)
I: Retrieving Packages
(...)
$ find -maxdepth 1 -name "chroot_stretch_2017100*" | sort | while read d; do echo $d; cat $d/etc/debian_version; sudo chroot $d apt-cache policy | grep stretch; echo ""; done
./chroot_stretch_20171006T213452Z
9.1
500 http://snapshot.debian.org/archive/debian/20171006T213452Z stretch/main amd64 Packages
release v=9.1,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
./chroot_stretch_20171007T032909Z
9.1
500 http://snapshot.debian.org/archive/debian/20171007T032909Z stretch/main amd64 Packages
release v=9.1,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
./chroot_stretch_20171007T103908Z
9.1
900 http://snapshot.debian.org/archive/debian/20171007T103908Z stretch/main amd64 Packages
release v=9.2,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
./chroot_stretch_20171007T213914Z
9.1
500 http://snapshot.debian.org/archive/debian/20171007T213914Z stretch/main amd64 Packages
release v=9.2,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
./chroot_stretch_20171008T032534Z
9.1
500 http://snapshot.debian.org/archive/debian/20171008T032534Z stretch/main amd64 Packages
release v=9.2,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
As we can see, the release tag from apt-cache policy changes between two snapshots of the same day. However /etc/debian_version doesn't get updated, even though looking at the base-file package versions shows a new version is made available. Note that there is no explicit snapshot taken upon a release, so this approach is a "best effort" one. Consequently, there are multiple ways of defining what Debian release 9.2 actually is.
I don't really see the point of dot releases if there isn't a simple way of targeting them, so I must be missing something obvious.
