Launching StableBuild - freeze and pin all your dependencies
🎉 Today we’re launching StableBuild, a new set of tools that helps developers create reliable and deterministic builds - by letting them easily freeze and pin Docker images, operating system packages, Python packages, and arbitrary build dependencies.
Sign up for free at https://dashboard.stablebuild.com !
Docker and deterministic builds
Docker has made it infinitely easier to ship application code, by allowing you to bundle your application plus all its dependencies - from the operating system to your Python packages - in a single deployable container. And, through Dockerfiles you have a human-readable specification on how that application needs to be built.
There’s one big problem though. At first glance Dockerfiles look deterministic (the same Dockerfile creates the same Docker container), but in reality you're depending on a myriad of mirrors, package registries, and repositories - any of which can change at any moment. Here’s an example:
This Dockerfile actually depends on 5 separate services:
This all means that this same Dockerfile can produce wildly different containers depending on when the container is built. Today you write your Dockerfile, test your application, and all is well. Tomorrow you rebuild the container from the same Dockerfile (e.g. you needed to update some code, or add an extra dependency) and now you’ll get a new OS version, new package versions from `apt`, a new Python version, hopefully the get-pip URL still resolves, and new Python packages. Maybe it works, maybe it doesn’t.
This is a massive maintenance burden for larger software teams; especially because it's all reactive. Someone makes a seemingly small change to your codebase, the build server builds the container from scratch, and the build is broken with a completely unrelated error. Now you'll need to immediately go and update your application to work with the new dependency (the build is broken!).
StableBuild to the rescue
StableBuild is fixing this. StableBuild is a set of mirrors and package registries aimed to make building containers reliable and deterministic. In essence this means that you can freeze any dependency using StableBuild, so the same Dockerfile will yield the same Docker container. We currently do this for:
Solving the problem in 5 minutes
StableBuild integrates in your existing build toolchain in 5 minutes. For example, here’s the same Dockerfile as before, but now fully cached and built through StableBuild:
That’s it. This container is now fully pinned; and will always install the same OS version, package list and Python dependencies. 🎉
Getting started with StableBuild
Excited? So are we!
Working with our first customers we’ve seen builds break due to shifting dependencies every few weeks. That doesn’t sound like a lot, but it’s always time critical - builds need to be fixed immediately as production deploys are broken; typically only very senior engineers can do the update; and you need rigorous testing to verify that updated dependencies don’t break something for which you don’t have automated tests.
StableBuild has fixed all of that for them. Of course you still want to update dependencies (we like security fixes too), but customers can now do that on their own time; without time pressure.
Want that too? To sign up for StableBuild head to https://dashboard.stablebuild.com - there's a free community plan available, which will give you full access to all mirrors and registries with a traffic/storage limit. Paid plans start at $199 a month for unlimited access. If there’s anything missing (e.g. you build on a different OS, or want another PPA) - just give us a shout at support@stablebuild.com and we’ll add it. Or if you want to read more about how StableBuild makes builds more stable and deterministic, see the docs at https://docs.stablebuild.com/.
Cheers,
The StableBuild team