11# Use a specific version of Rust for reproducibility
2- # FROM debian:bullseye-slim as builder
3- FROM debian:bullseye-slim@sha256:f527627d07c18abf87313c341ee8ef1b36f106baa8b6b6dc33f4c872d988b651 AS builder
4-
5- RUN apt-get update && apt-get install -y \
6- curl \
7- build-essential \
8- git \
9- libssl-dev \
10- pkg-config
11-
12- # version MUST be the same as in /tools/verifier/rust-toolchain.toml
13- RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain nightly-2025-07-25
14- ENV PATH="/root/.cargo/bin:${PATH}"
15-
16- RUN rustup target add riscv32i-unknown-none-elf
17- RUN rustup component add llvm-tools-preview
18- RUN rustup component add rust-src
19- RUN cargo install cargo-binutils
20-
21- # RUN git clone --depth 1 -b mmzk_0608_reproduce https://github.com/matter-labs/zksync-airbender.git
2+ # Pinning os version and architecture for reproducibility
3+ FROM --platform=linux/amd64 debian:bullseye-slim@sha256:4edd2740ebd41d71ef78eed0081c8979e287e2496c6fca892f5936d1e22adcd3 AS builder
4+
5+
6+ # Freeze APT to a specific point in time (matches base image date)
7+ ARG DEBIAN_SNAPSHOT=20250811T000000Z
8+
9+ # Use snapshot.debian.org and disable Valid-Until
10+ RUN set -eux; \
11+ printf 'Acquire::Check-Valid-Until "false";\n ' > /etc/apt/apt.conf.d/99snapshot; \
12+ printf 'Acquire::http::No-Cache "true";\n ' > /etc/apt/apt.conf.d/99no-cache; \
13+ echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/${DEBIAN_SNAPSHOT} bullseye main" > /etc/apt/sources.list; \
14+ echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/${DEBIAN_SNAPSHOT} bullseye-security main" >> /etc/apt/sources.list; \
15+ apt-get -o Acquire::Check-Valid-Until=false update
16+
17+ # Setting a fixed SOURCE_DATE_EPOCH for reproducible builds
18+ # reproduce.sh will set it based on last commit date
19+ ARG SOURCE_DATE_EPOCH=1700000000
20+ ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
21+ CARGO_INCREMENTAL=0 \
22+ TZ=UTC LANG=C.UTF-8 LC_ALL=C.UTF-8
23+
24+ # Toolchain (paths pinned so absolute paths don’t leak)
25+ ENV CARGO_HOME=/opt/cargo RUSTUP_HOME=/opt/rustup
26+ ENV PATH=/opt/cargo/bin:$PATH
27+ RUN apt-get update && apt-get install -y --no-install-recommends \
28+ ca-certificates curl git build-essential libssl-dev pkg-config \
29+ && rm -rf /var/lib/apt/lists/*
30+ # version MUST be the same as in /tools/verifier/rust-toolchain.toml
31+ RUN curl -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain nightly-2025-07-25 --profile minimal
32+ RUN rustup target add riscv32i-unknown-none-elf \
33+ && cargo install cargo-binutils --locked \
34+ && rustup component add llvm-tools-preview \
35+ && rustup component add rust-src
36+
37+ ENV CARGO_TARGET_RISCV32I_UNKNOWN_NONE_ELF_AR=llvm-ar
38+ ENV CARGO_TARGET_RISCV32I_UNKNOWN_NONE_ELF_RANLIB=llvm-ranlib
39+
2240COPY . zksync-airbender
2341
24- WORKDIR zksync-airbender/tools/verifier
42+ WORKDIR / zksync-airbender/tools/verifier
2543
26- RUN ./build.sh
44+ RUN ./build.sh
0 commit comments