undefined | Better HN

0 pointslooperhacks1mo ago0 comments

How is OCI terrible for reproducibility and security? They are certainly more reproducible than what we had before. I haven't heard "Works on my machine for a long time". If you're talking about reproducible builds, there aren't any hard issues either that are directly caused by OCI images - except setting the clock correctly.

> Boot images should be Dm-verity protected EROFS images

Maybe I'm misunderstanding you - I gather that you think the boot images are distributed as OCI images? That's not the case, bootc is more about building the image, updating it and the overall structure. Booting an image built with bootc does not involve any container infrastructure (unless you start services that depend on containers, I guess - but that's deep in userspace). There's technically nothing preventing this from using verified read-only images.

0 comments

arianvanp1mo ago

> I gather that you think the boot images are distributed as OCI image

Yes? That's literally the sales pitch on the website. Am I missing something?

Quote from https://bootc-dev.github.io/ tells me that bootc is using OCI as a delivery format for bootable images.

Transactional, in-place operating system updates using OCI/Docker container images.

Motivation The original Docker container model of using "layers" to model applications has been extremely successful. This project aims to apply the same technique for bootable host systems - using standard OCI/Docker containers as a transport and delivery format for base operating system updates

saltamimi1mo ago

For the record, bootc supports and has workflows for verity images.

j / k navigate · click thread line to collapse