
Show HN: Compare local Docker images with ones in registry - ivanilves
https://github.com/ivanilves/lstags
======
gardnr
Now if we could just get some sort of hash consensus around what is in
root.tar.xz. I feel like we are all blindly trusting large binary blobs as the
core of our systems without any reproducible builds or peer auditing.

~~~
jonjonsonjr
You might be interested in distroless[1] base images.

The repo links to a talk that goes into more depth, but the basic idea is to a
use minimal language-specific base for your runtime instead of e.g. statically
linking all of ubuntu into your image.

The base images are built with bazel's docker rules[2], so you get
reproducible builds.

[1]
[https://github.com/GoogleCloudPlatform/distroless](https://github.com/GoogleCloudPlatform/distroless)

[2]
[https://github.com/bazelbuild/rules_docker](https://github.com/bazelbuild/rules_docker)

~~~
dlor
I've even been using these rules here to work on making the Debian distro
rootfs.tar.xz times we provide for Google Cloud Platform reproducible.

The same source should lead to the same tarball, and anyone should be able to
clone the repo and verify that.

github.com/GoogleCloudPlatform/debian-docker

------
gkfasdfasdf
Would be great if there was a Dockerfile, so it could be run from Docker for
Windows.

------
gtaylor
I was looking for something like this just this week. Awesome!

~~~
ivanilves
Glad it helped!

Feel free to submit issue or PR or some other form of feeback ;)

