Support reproducible builds (except packages)

[AkihiroSuda]

Background:

• docker-library/official-images#16044

Alternative to:

• #248

---

• SOURCE_DATE_EPOCH is added. The value is consumed by the build scripts to make the httpd binary reproducible.

• GNU implementation of wget is executed with --no-hsts to disable creating /root/.wget-hsts

• For Debian, /var/log/* is removed as they contain timestamps

• For Debian, /var/cache/ldconfig/aux-cache is removed as they contain inode numbers, etc.

• For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in /etc/apk/world and /lib/apk/db/installed

[!NOTE] The following topics are NOT covered by this commit:

• To reproduce file timestamps in layers, BuildKit has to be executed with --output type=<TYPE>,rewrite-timestamp=true. Needs BuildKit v0.13.0-beta1 or later.

• To reproduce the base image by the hash, reproducers may:

  • modify the FROM instruction in Dockerfile manually
  • or, use the CONVERT action of source policies to replace the base image. https://github.com/moby/buildkit/blob/v0.13.0-beta1/docs/build-repro.md

• To reproduce Debian packages, reproducers may:

  • modify the RUN instructions in the Dockerfile to rewrite /etc/apt/sources.list to use http://snapshot.debian.org, and restore /etc/apt/sources.list at the end of the instruction (See the rejected PR #248)
  • or, use "instruction hook" https://github.com/moby/buildkit/issues/4576

[AkihiroSuda]

@tianon @yosifkit PTAL 🙏

[AkihiroSuda]

@tianon @yosifkit

I think this is good to merge. Unlike https://github.com/docker-library/httpd/pull/248 , this does not suffer from the slow apt-get.