Comment by looperhacks
8 days ago
How is OCI terrible for reproducibility and security? They are certainly more reproducible than what we had before. I haven't heard "Works on my machine for a long time". If you're talking about reproducible builds, there aren't any hard issues either that are directly caused by OCI images - except setting the clock correctly.
> Boot images should be Dm-verity protected EROFS images
Maybe I'm misunderstanding you - I gather that you think the boot images are distributed as OCI images? That's not the case, bootc is more about building the image, updating it and the overall structure. Booting an image built with bootc does not involve any container infrastructure (unless you start services that depend on containers, I guess - but that's deep in userspace). There's technically nothing preventing this from using verified read-only images.
> I gather that you think the boot images are distributed as OCI image
Yes? That's literally the sales pitch on the website. Am I missing something?
Quote from https://bootc-dev.github.io/ tells me that bootc is using OCI as a delivery format for bootable images.
Transactional, in-place operating system updates using OCI/Docker container images.
Motivation The original Docker container model of using "layers" to model applications has been extremely successful. This project aims to apply the same technique for bootable host systems - using standard OCI/Docker containers as a transport and delivery format for base operating system updates
For the record, bootc supports and has workflows for verity images.