git.stella-ops.org/devops/docker/repro-builders/debian/Dockerfile

# Debian Reproducible Builder
# Creates deterministic builds of Debian packages for fingerprint diffing
#
# Usage:
#   docker build -t repro-builder-debian:bookworm --build-arg RELEASE=bookworm .
#   docker run -v ./output:/output repro-builder-debian:bookworm build openssl 3.0.7-1

ARG RELEASE=bookworm
FROM debian:${RELEASE}

ARG RELEASE
ENV DEBIAN_RELEASE=${RELEASE}
ENV DEBIAN_FRONTEND=noninteractive

# Install build tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    devscripts \
    dpkg-dev \
    equivs \
    fakeroot \
    git \
    curl \
    ca-certificates \
    binutils \
    elfutils \
    coreutils \
    patch \
    diffutils \
    file \
    jq \
    && rm -rf /var/lib/apt/lists/*

# Create build user
RUN useradd -m -s /bin/bash builder \
    && echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

USER builder
WORKDIR /home/builder

# Copy scripts
COPY --chown=builder:builder scripts/build.sh /usr/local/bin/build.sh
COPY --chown=builder:builder scripts/extract-functions.sh /usr/local/bin/extract-functions.sh
COPY --chown=builder:builder scripts/normalize.sh /usr/local/bin/normalize.sh

USER root
RUN chmod +x /usr/local/bin/*.sh
USER builder

# Environment for reproducibility
ENV TZ=UTC
ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8

VOLUME /output
WORKDIR /build

ENTRYPOINT ["/usr/local/bin/build.sh"]
CMD ["--help"]