From 6cd957b48e225ef9ad5bbe0dc1e0dd821d917159 Mon Sep 17 00:00:00 2001
From: Enderson Maia <endersonmaia@gmail.com>
Date: Fri, 27 Sep 2024 11:05:55 -0300
Subject: [PATCH] feat: use apt --snapshot for reproducibility

---
 cpp-low-level/Dockerfile | 36 ++++++++++-----
 cpp/3rdparty/Makefile    |  4 +-
 cpp/Dockerfile           | 36 ++++++++++-----
 go/Dockerfile            | 59 ++++++++++++++++++-------
 lua/Dockerfile           | 38 +++++++++++-----
 ruby/Dockerfile          | 33 +++++++++++---
 rust/Dockerfile          | 95 ++++++++++++++++++++++++++--------------
 7 files changed, 215 insertions(+), 86 deletions(-)

diff --git a/cpp-low-level/Dockerfile b/cpp-low-level/Dockerfile
index 1b628fa..c13c862 100644
--- a/cpp-low-level/Dockerfile
+++ b/cpp-low-level/Dockerfile
@@ -1,21 +1,35 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  autoconf=2.71-3 \
-  automake=1:1.16.5-1.3ubuntu1 \
-  build-essential=12.10ubuntu1 \
-  ca-certificates=20240203 \
-  curl=8.5.0-2ubuntu10.3 \
-  libtool=2.4.7-7build1 \
-  wget=1.21.4-1ubuntu4.1
+  autoconf \
+  automake \
+  build-essential \
+  libtool
 rm -rf /var/lib/apt/lists/*
 EOF
 
@@ -24,6 +38,8 @@ WORKDIR /opt/cartesi/dapp
 COPY . .
 RUN make
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -38,7 +54,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
diff --git a/cpp/3rdparty/Makefile b/cpp/3rdparty/Makefile
index 1bb4b43..679c6d0 100644
--- a/cpp/3rdparty/Makefile
+++ b/cpp/3rdparty/Makefile
@@ -3,13 +3,13 @@
 all: cpp-httplib picojson
 
 cpp-httplib:
-	wget https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz && \
+	curl -fsSL -O https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz && \
   tar xvf v0.10.4.tar.gz && \
   rm v0.10.4.tar.gz && \
   mv cpp-httplib-0.10.4 cpp-httplib
 
 picojson:
-	wget https://github.com/kazuho/picojson/archive/refs/tags/v1.3.0.tar.gz && \
+	curl -fsSL -O https://github.com/kazuho/picojson/archive/refs/tags/v1.3.0.tar.gz && \
   tar xvf v1.3.0.tar.gz && \
   rm v1.3.0.tar.gz && \
   mv picojson-1.3.0 picojson
diff --git a/cpp/Dockerfile b/cpp/Dockerfile
index 49ffd1d..fd96d65 100644
--- a/cpp/Dockerfile
+++ b/cpp/Dockerfile
@@ -1,21 +1,35 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  autoconf=2.71-3 \
-  automake=1:1.16.5-1.3ubuntu1 \
-  build-essential=12.10ubuntu1 \
-  ca-certificates=20240203 \
-  curl=8.5.0-2ubuntu10.3 \
-  libtool=2.4.7-7build1 \
-  wget=1.21.4-1ubuntu4.1
+  autoconf \
+  automake \
+  build-essential \
+  libtool
 rm -rf /var/lib/apt/lists/*
 EOF
 
@@ -23,6 +37,8 @@ WORKDIR /opt/cartesi/dapp
 COPY . .
 RUN make
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -37,7 +53,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
diff --git a/go/Dockerfile b/go/Dockerfile
index c34b956..90cb849 100644
--- a/go/Dockerfile
+++ b/go/Dockerfile
@@ -1,23 +1,55 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM ubuntu:24.04 AS build-stage
 
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
+
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base-riscv64
+
+ARG APT_UPDATE_SNAPSHOT
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
-set -e
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross base stage
+FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_TAG} AS base-cross
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
 apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross build stage
+FROM base-cross AS cross-build-stage
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -e
 apt install -y --no-install-recommends \
-    build-essential=12.10ubuntu1 \
-    ca-certificates=20240203 \
-    g++-riscv64-linux-gnu=4:13.2.0-7ubuntu1 \
-    wget=1.21.4-1ubuntu4.1
+    build-essential \
+    ca-certificates \
+    g++-riscv64-linux-gnu
 EOF
 
 ARG GOVERSION=1.23.1
 
 WORKDIR /opt/build
 
-RUN wget https://go.dev/dl/go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz && \
-  tar -C /usr/local -xzf go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz
+RUN curl -fsSL https://go.dev/dl/go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz | \
+  tar -C /usr/local -xzf -
 
 ENV GOOS=linux
 ENV GOARCH=riscv64
@@ -29,12 +61,9 @@ COPY src .
 
 RUN make
 
+################################################################################
 # runtime stage: produces final image that will be executed
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
-
-RUN apt-get update
-
-FROM base
+FROM base-riscv64
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
 ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /
@@ -48,7 +77,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
@@ -56,7 +85,7 @@ EOF
 ENV PATH="/opt/cartesi/bin:${PATH}"
 
 WORKDIR /opt/cartesi/dapp
-COPY --from=build-stage /opt/build/dapp .
+COPY --from=cross-build-stage /opt/build/dapp .
 
 ENV ROLLUP_HTTP_SERVER_URL="http://127.0.0.1:5004"
 
diff --git a/lua/Dockerfile b/lua/Dockerfile
index dc05d01..9e50ed5 100644
--- a/lua/Dockerfile
+++ b/lua/Dockerfile
@@ -1,24 +1,43 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  build-essential=12.10ubuntu1 \
-  liblua5.4-dev=5.4.6-3build2 \
-  lua5.4=5.4.6-3build2 \
-  luarocks=3.8.0+dfsg1-1
+  build-essential \
+  liblua5.4-dev \
+  lua5.4 \
+  luarocks
 rm -rf /var/lib/apt/lists/*
 
 luarocks install --lua-version=5.4 luasocket 3.1.0-1
 luarocks install --lua-version=5.4 dkjson 2.6-1
 EOF
 
+################################################################################
+# riscv64 final stage
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -32,11 +51,10 @@ LABEL io.cartesi.rollups.ram_size=128Mi
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
-apt-get update
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1 \
-  liblua5.4-dev=5.4.6-3build2 \
-  lua5.4=5.4.6-3build2
+  busybox-static \
+  liblua5.4-dev \
+  lua5.4
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
diff --git a/ruby/Dockerfile b/ruby/Dockerfile
index 7cdbacd..d8d6041 100644
--- a/ruby/Dockerfile
+++ b/ruby/Dockerfile
@@ -1,17 +1,34 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  build-essential=12.10ubuntu1 \
-  ruby-dev="1:3.2~ubuntu1" \
-  ruby="1:3.2~ubuntu1"
+  build-essential \
+  ruby-dev \
+  ruby
 rm -rf /var/apt/lists/*
 gem install bundler --no-document
 EOF
@@ -24,6 +41,8 @@ bundle config set --without 'development test'
 bundle install --jobs=3 --retry=3
 EOF
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -38,8 +57,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1 \
-  ruby="1:3.2~ubuntu1"
+  busybox-static \
+  ruby
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
diff --git a/rust/Dockerfile b/rust/Dockerfile
index f4019e4..8b6983b 100644
--- a/rust/Dockerfile
+++ b/rust/Dockerfile
@@ -1,5 +1,39 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM ubuntu:24.04 AS builder
+
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
+
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base-riscv64
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross base stage
+FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_TAG} AS base-cross
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross build stage
+FROM base-cross AS cross-build-stage
 
 ENV RUSTUP_HOME=/usr/local/rustup \
     CARGO_HOME=/usr/local/cargo \
@@ -9,33 +43,32 @@ ENV RUSTUP_HOME=/usr/local/rustup \
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
-apt update
 apt install -y --no-install-recommends \
-    build-essential=12.10ubuntu1 \
-    ca-certificates=20240203 \
-    g++-riscv64-linux-gnu=4:13.2.0-7ubuntu1 \
-    wget=1.21.4-1ubuntu4.1
+    build-essential \
+    g++-riscv64-linux-gnu
 EOF
 
-RUN set -eux; \
-    dpkgArch="$(dpkg --print-architecture)"; \
-    case "${dpkgArch##*-}" in \
-    amd64) rustArch='x86_64-unknown-linux-gnu'; rustupSha256='0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db' ;; \
-    armhf) rustArch='armv7-unknown-linux-gnueabihf'; rustupSha256='f21c44b01678c645d8fbba1e55e4180a01ac5af2d38bcbd14aa665e0d96ed69a' ;; \
-    arm64) rustArch='aarch64-unknown-linux-gnu'; rustupSha256='673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800' ;; \
-    i386) rustArch='i686-unknown-linux-gnu'; rustupSha256='e7b0f47557c1afcd86939b118cbcf7fb95a5d1d917bdd355157b63ca00fc4333' ;; \
-    *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \
-    esac; \
-    url="https://static.rust-lang.org/rustup/archive/1.26.0/${rustArch}/rustup-init"; \
-    wget "$url"; \
-    echo "${rustupSha256} *rustup-init" | sha256sum -c -; \
-    chmod +x rustup-init; \
-    ./rustup-init -y --no-modify-path --profile minimal --default-toolchain $RUST_VERSION --default-host ${rustArch}; \
-    rm rustup-init; \
-    chmod -R a+w $RUSTUP_HOME $CARGO_HOME; \
-    rustup --version; \
-    cargo --version; \
-    rustc --version;
+RUN <<EOF
+set -eux
+dpkgArch="$(dpkg --print-architecture)"
+case "${dpkgArch##*-}" in \
+    amd64) rustArch='x86_64-unknown-linux-gnu'; rustupSha256='0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db' ;;
+    armhf) rustArch='armv7-unknown-linux-gnueabihf'; rustupSha256='f21c44b01678c645d8fbba1e55e4180a01ac5af2d38bcbd14aa665e0d96ed69a' ;;
+    arm64) rustArch='aarch64-unknown-linux-gnu'; rustupSha256='673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800' ;;
+    i386) rustArch='i686-unknown-linux-gnu'; rustupSha256='e7b0f47557c1afcd86939b118cbcf7fb95a5d1d917bdd355157b63ca00fc4333' ;;
+    *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;;
+esac
+url="https://static.rust-lang.org/rustup/archive/1.26.0/${rustArch}/rustup-init"
+curl -fsSL -O "$url"
+echo "${rustupSha256} *rustup-init" | sha256sum -c -
+chmod +x rustup-init
+./rustup-init -y --no-modify-path --profile minimal --default-toolchain $RUST_VERSION --default-host ${rustArch}
+rm rustup-init
+chmod -R a+w $RUSTUP_HOME $CARGO_HOME
+rustup --version
+cargo --version
+rustc --version
+EOF
 
 RUN rustup target add riscv64gc-unknown-linux-gnu
 
@@ -43,11 +76,9 @@ WORKDIR /opt/cartesi/dapp
 COPY . .
 RUN cargo build --release
 
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
-
-RUN apt-get update
-
-FROM base
+################################################################################
+# runtime stage: produces final image that will be executed
+FROM base-riscv64
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
 ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /
@@ -61,7 +92,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-    busybox-static=1:1.36.1-6ubuntu3.1
+    busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
@@ -69,7 +100,7 @@ EOF
 ENV PATH="/opt/cartesi/bin:/opt/cartesi/dapp:${PATH}"
 
 WORKDIR /opt/cartesi/dapp
-COPY --from=builder /opt/cartesi/dapp/target/riscv64gc-unknown-linux-gnu/release/dapp .
+COPY --from=cross-build-stage /opt/cartesi/dapp/target/riscv64gc-unknown-linux-gnu/release/dapp .
 
 ENV ROLLUP_HTTP_SERVER_URL="http://127.0.0.1:5004"