containerd
diff --git a/‎.github/workflows/test-canary.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test-canary.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 15 additions & 15 deletions b/‎.github/workflows/test.yml‎
Lines changed: 15 additions & 15 deletions
diff --git a/‎Dockerfile‎
Lines changed: 49 additions & 38 deletions b/‎Dockerfile‎
Lines changed: 49 additions & 38 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.1‎
Lines changed: 0 additions & 6 deletions b/‎Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.1‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.2‎
Lines changed: 6 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-v2.1.2‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1‎
Lines changed: 0 additions & 6 deletions b/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.1‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.2‎
Lines changed: 7 additions & 0 deletions b/‎Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.2‎
Lines changed: 7 additions & 0 deletions
@@ -81,7 +81,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: "v1.7.25"
+          ref: "v1.7.27"
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"
 
@@ -26,13 +26,13 @@ jobs:
       matrix:
         include:
           - runner: ubuntu-24.04
-            containerd: v1.6.36
+            containerd: v1.6.38
             arch: amd64
           - runner: ubuntu-24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             arch: amd64
           - runner: ubuntu-24.04-arm
-            containerd: v2.0.3
+            containerd: v2.0.4
             arch: arm64
     env:
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -82,7 +82,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: v1.7.25
+          ref: v1.7.27
           path: containerd
           fetch-depth: 1
       - if: ${{ matrix.goos=='windows' }}
@@ -102,15 +102,15 @@ jobs:
       matrix:
         include:
           - ubuntu: 22.04
-            containerd: v1.6.36
+            containerd: v1.6.38
             runner: "ubuntu-22.04"
             arch: amd64
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             runner: "ubuntu-24.04"
             arch: amd64
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             runner: "ubuntu-24.04-arm"
             arch: arm64
     env:
@@ -160,7 +160,7 @@ jobs:
       matrix:
         include:
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             arch: amd64
     env:
       CONTAINERD_VERSION: "${{ matrix.containerd }}"
@@ -221,25 +221,25 @@ jobs:
       matrix:
         include:
           - ubuntu: 22.04
-            containerd: v1.6.36
+            containerd: v1.6.38
             rootlesskit: v1.1.1  # Deprecated
             target: rootless
             runner: "ubuntu-22.04"
             arch: amd64
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             rootlesskit: v2.3.4
             target: rootless
             arch: amd64
             runner: "ubuntu-24.04"
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             rootlesskit: v2.3.4
             target: rootless
             arch: arm64
             runner: "ubuntu-24.04-arm"
           - ubuntu: 24.04
-            containerd: v2.0.3
+            containerd: v2.0.4
             rootlesskit: v2.3.4
             target: rootless-port-slirp4netns
             arch: amd64
@@ -373,15 +373,15 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
-          ref: v1.7.25
+          ref: v1.7.27
           path: containerd
           fetch-depth: 1
       - name: "Set up CNI"
         working-directory: containerd
         run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows
       - name: "Set up containerd"
         env:
-          ctrdVersion: 1.7.25
+          ctrdVersion: 1.7.27
         run: powershell hack/configure-windows-ci.ps1
       - name: "Run integration tests"
         run: ./hack/test-integration.sh -test.only-flaky=false
@@ -437,7 +437,7 @@ jobs:
     env:
       MODE: ${{ matrix.mode }}
       # FIXME: this is only necessary to access the build cache. To remove with build cleanup.
-      CONTAINERD_VERSION: v2.0.3
+      CONTAINERD_VERSION: v2.0.4
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
 
@@ -15,42 +15,42 @@
 # -----------------------------------------------------------------------------
 # Usage: `docker run -it --privileged <IMAGE>`. Make sure to add `-t` and `--privileged`.
 
-# TODO: verify commit hash
-
 # Basic deps
-ARG CONTAINERD_VERSION=v2.0.3
-ARG RUNC_VERSION=v1.2.5
-ARG CNI_PLUGINS_VERSION=v1.6.2
+# @BINARY: the binary checksums are verified via Dockerfile.d/SHA256SUMS.d/<COMPONENT>-<VERSION>
+ARG CONTAINERD_VERSION=v2.0.4@1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
+ARG RUNC_VERSION=v1.2.6@e89a29929c775025419ab0d218a43588b4c12b9a
+ARG CNI_PLUGINS_VERSION=v1.6.2@BINARY
 
 # Extra deps: Build
-ARG BUILDKIT_VERSION=v0.20.1
+ARG BUILDKIT_VERSION=v0.20.1@BINARY
 # Extra deps: Lazy-pulling
-ARG STARGZ_SNAPSHOTTER_VERSION=v0.16.3
+ARG STARGZ_SNAPSHOTTER_VERSION=v0.16.3@BINARY
 # Extra deps: Encryption
-ARG IMGCRYPT_VERSION=v2.0.0
+ARG IMGCRYPT_VERSION=v2.0.1@c377ec98ff79ec9205eabf555ebd2ea784738c6c
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.3.4
-ARG SLIRP4NETNS_VERSION=v1.3.1
+ARG ROOTLESSKIT_VERSION=v2.3.4@BINARY
+ARG SLIRP4NETNS_VERSION=v1.3.2@BINARY
 # Extra deps: bypass4netns
-ARG BYPASS4NETNS_VERSION=v0.4.2
+ARG BYPASS4NETNS_VERSION=v0.4.2@aa04bd3dcc48c6dae6d7327ba219bda8fe2a4634
 # Extra deps: FUSE-OverlayFS
-ARG FUSE_OVERLAYFS_VERSION=v1.14
-ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v2.1.1
+ARG FUSE_OVERLAYFS_VERSION=v1.14@BINARY
+ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=v2.1.2@BINARY
 # Extra deps: Init
-ARG TINI_VERSION=v0.19.0
+ARG TINI_VERSION=v0.19.0@BINARY
 # Extra deps: Debug
-ARG BUILDG_VERSION=v0.4.1
+ARG BUILDG_VERSION=v0.4.1@BINARY
 
 # Test deps
+# Currently, the Docker Official Images and the test deps are not pinned by the hash
 ARG GO_VERSION=1.24
 ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
 ARG GOTESTSUM_VERSION=v1.12.0
 ARG NYDUS_VERSION=v2.3.0
 ARG SOCI_SNAPSHOTTER_VERSION=0.8.0
-ARG KUBO_VERSION=v0.32.1
+ARG KUBO_VERSION=v0.33.2
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx
 
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base-debian
@@ -70,13 +70,14 @@ RUN xx-apt-get update -qq && xx-apt-get install -qq --no-install-recommends \
   libseccomp-dev \
   pkg-config
 RUN git config --global advice.detachedHead false
+ADD hack/git-checkout-tag-with-hash.sh /usr/local/bin/
 
 FROM build-base-debian AS build-containerd
 ARG TARGETARCH
 ARG CONTAINERD_VERSION
 RUN git clone https://github.com/containerd/containerd.git /go/src/github.com/containerd/containerd
 WORKDIR /go/src/github.com/containerd/containerd
-RUN git checkout ${CONTAINERD_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${CONTAINERD_VERSION} && \
   mkdir -p /out /out/$TARGETARCH && \
   cp -a containerd.service /out
 RUN GO=xx-go make STATIC=1 && \
@@ -87,7 +88,7 @@ ARG RUNC_VERSION
 ARG TARGETARCH
 RUN git clone https://github.com/opencontainers/runc.git /go/src/github.com/opencontainers/runc
 WORKDIR /go/src/github.com/opencontainers/runc
-RUN git checkout ${RUNC_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${RUNC_VERSION} && \
   mkdir -p /out
 ENV CGO_ENABLED=1
 RUN GO=xx-go CC=$(xx-info)-gcc STRIP=$(xx-info)-strip make static && \
@@ -98,7 +99,7 @@ ARG BYPASS4NETNS_VERSION
 ARG TARGETARCH
 RUN git clone https://github.com/rootless-containers/bypass4netns.git /go/src/github.com/rootless-containers/bypass4netns
 WORKDIR /go/src/github.com/rootless-containers/bypass4netns
-RUN git checkout ${BYPASS4NETNS_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${BYPASS4NETNS_VERSION} && \
   mkdir -p /out/${TARGETARCH}
 ENV CGO_ENABLED=1
 RUN GO=xx-go make static && \
@@ -109,7 +110,7 @@ ARG KUBO_VERSION
 ARG TARGETARCH
 RUN git clone https://github.com/ipfs/kubo.git /go/src/github.com/ipfs/kubo
 WORKDIR /go/src/github.com/ipfs/kubo
-RUN git checkout ${KUBO_VERSION} && \
+RUN git-checkout-tag-with-hash.sh ${KUBO_VERSION} && \
   mkdir -p /out/${TARGETARCH}
 ENV CGO_ENABLED=0
 RUN xx-go --wrap && \
@@ -119,6 +120,7 @@ RUN xx-go --wrap && \
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS build-base
 RUN apk add --no-cache make git curl
 RUN git config --global advice.detachedHead false
+ADD hack/git-checkout-tag-with-hash.sh /usr/local/bin/
 
 FROM build-base AS build-minimal
 RUN BINDIR=/out/bin make binaries install
@@ -134,20 +136,22 @@ RUN mkdir -p /out/share/doc/nerdctl-full && touch /out/share/doc/nerdctl-full/RE
 ARG CONTAINERD_VERSION
 COPY --from=build-containerd /out/${TARGETARCH:-amd64}/* /out/bin/
 COPY --from=build-containerd /out/containerd.service /out/lib/systemd/system/containerd.service
-RUN echo "- containerd: ${CONTAINERD_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- containerd: ${CONTAINERD_VERSION/@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG RUNC_VERSION
 COPY --from=build-runc /out/runc.${TARGETARCH:-amd64} /out/bin/runc
-RUN echo "- runc: ${RUNC_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- runc: ${RUNC_VERSION/@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG CNI_PLUGINS_VERSION
-RUN fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz" && \
+RUN CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION/@BINARY}; \
+  fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/cni-plugins-${CNI_PLUGINS_VERSION}" | sha256sum -c && \
   mkdir -p /out/libexec/cni && \
   tar xzf "${fname}" -C /out/libexec/cni && \
   rm -f "${fname}" && \
   echo "- CNI plugins: ${CNI_PLUGINS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BUILDKIT_VERSION
-RUN fname="buildkit-${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN BUILDKIT_VERSION=${BUILDKIT_VERSION/@BINARY}; \
+  fname="buildkit-${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/buildkit-${BUILDKIT_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out && \
@@ -161,7 +165,8 @@ RUN cd /out/lib/systemd/system && \
   echo "" >> buildkit.service && \
   echo "# This file was converted from containerd.service, with \`sed -E '${sedcomm}'\`" >> buildkit.service
 ARG STARGZ_SNAPSHOTTER_VERSION
-RUN fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN STARGZ_SNAPSHOTTER_VERSION=${STARGZ_SNAPSHOTTER_VERSION/@BINARY}; \
+  fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containerd/stargz-snapshotter/releases/download/${STARGZ_SNAPSHOTTER_VERSION}/${fname}" && \
   curl -o "stargz-snapshotter.service" -fsSL --proto '=https' --tlsv1.2 "https://raw.githubusercontent.com/containerd/stargz-snapshotter/${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service" && \
   grep "${fname}" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
@@ -173,48 +178,54 @@ RUN fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-$
 ARG IMGCRYPT_VERSION
 RUN git clone https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \
   cd /go/src/github.com/containerd/imgcrypt && \
-  git checkout "${IMGCRYPT_VERSION}" && \
+  git-checkout-tag-with-hash.sh "${IMGCRYPT_VERSION}" && \
   CGO_ENABLED=0 make && DESTDIR=/out make install && \
-  echo "- imgcrypt: ${IMGCRYPT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+  echo "- imgcrypt: ${IMGCRYPT_VERSION/@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG SLIRP4NETNS_VERSION
-RUN fname="slirp4netns-$(cat /target_uname_m)" && \
+RUN SLIRP4NETNS_VERSION=${SLIRP4NETNS_VERSION/@BINARY}; \
+  fname="slirp4netns-$(cat /target_uname_m)" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}" | sha256sum -c && \
   mv "${fname}" /out/bin/slirp4netns && \
   chmod +x /out/bin/slirp4netns && \
   echo "- slirp4netns: ${SLIRP4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BYPASS4NETNS_VERSION
 COPY --from=build-bypass4netns /out/${TARGETARCH:-amd64}/* /out/bin/
-RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION/@*}" >> /out/share/doc/nerdctl-full/README.md
 ARG FUSE_OVERLAYFS_VERSION
-RUN fname="fuse-overlayfs-$(cat /target_uname_m)" && \
+RUN FUSE_OVERLAYFS_VERSION=${FUSE_OVERLAYFS_VERSION/@BINARY}; \
+  fname="fuse-overlayfs-$(cat /target_uname_m)" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containers/fuse-overlayfs/releases/download/${FUSE_OVERLAYFS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/fuse-overlayfs-${FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
   mv "${fname}" /out/bin/fuse-overlayfs && \
   chmod +x /out/bin/fuse-overlayfs && \
   echo "- fuse-overlayfs: ${FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION
-RUN fname="containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION/v}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN CONTAINERD_FUSE_OVERLAYFS_VERSION=${CONTAINERD_FUSE_OVERLAYFS_VERSION/@BINARY}; \
+  fname="containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION/v}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/${CONTAINERD_FUSE_OVERLAYFS_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out/bin && \
   rm -f "${fname}" && \
   echo "- containerd-fuse-overlayfs: ${CONTAINERD_FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG TINI_VERSION
-RUN fname="tini-static-${TARGETARCH:-amd64}" && \
+RUN TINI_VERSION=${TINI_VERSION/@BINARY}; \
+  fname="tini-static-${TARGETARCH:-amd64}" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/tini-${TINI_VERSION}" | sha256sum -c && \
   cp -a "${fname}" /out/bin/tini && chmod +x /out/bin/tini && \
   echo "- Tini: ${TINI_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BUILDG_VERSION
-RUN fname="buildg-${BUILDG_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+RUN BUILDG_VERSION=${BUILDG_VERSION/@BINARY}; \
+  fname="buildg-${BUILDG_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/ktock/buildg/releases/download/${BUILDG_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/buildg-${BUILDG_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out/bin && \
   rm -f "${fname}" && \
   echo "- buildg: ${BUILDG_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG ROOTLESSKIT_VERSION
-RUN fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
+RUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION/@BINARY}; \
+  fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/${fname}" && \
   grep "${fname}" "/SHA256SUMS.d/rootlesskit-${ROOTLESSKIT_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out/bin && \
@@ -223,10 +234,10 @@ RUN fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION/@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION/@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
+  echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION/@*}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)" >> /out/share/doc/nerdctl-full/README.md
 
 FROM build-dependencies AS build-full
 
@@ -0,0 +1,6 @@
+b484d76468b7e91e215c7bdab99eb6322e3c396707cd72c3571d8bc6a62f4fb5  containerd-fuse-overlayfs-2.1.2-linux-amd64.tar.gz
+35648602f4eea1a84095ac19ca63752e3a9faa2e1a3b9ba95c6e555aee932820  containerd-fuse-overlayfs-2.1.2-linux-arm-v7.tar.gz
+0d9a75ef98e4538f039fea3da621560fd2b85a6bc34735f189121decf7d2266b  containerd-fuse-overlayfs-2.1.2-linux-arm64.tar.gz
+02a4f9c90b2fbabd4326a19f7659638b36910c4633fe1772f44da6239c4e95fa  containerd-fuse-overlayfs-2.1.2-linux-ppc64le.tar.gz
+febd653d766cc724383045509b6958d8f1bdfc4d4b8d5027099d7760c6374dca  containerd-fuse-overlayfs-2.1.2-linux-riscv64.tar.gz
+44a6c830d3371d522033ac47a2f90b6be12311d72a8b290a70d73771aa062e6c  containerd-fuse-overlayfs-2.1.2-linux-s390x.tar.gz
@@ -0,0 +1,7 @@
+b4162d27bbbd3683ca8ee57b51a1b270c0054b3a15fcc1830a5d7c10b77ad045  SOURCE_DATE_EPOCH
+c55117faa5e18345a3ee1515267f056822ff0c1897999ae5422b0114ee48df85  slirp4netns-aarch64
+f55a6c9e3ec8280e9c3cec083f07dc124e2846ce8139a9281c35013e968d7e95  slirp4netns-armv7l
+7b388a9cacbd89821f7f7a6457470fcae8f51aa846162521589feb4634ec7586  slirp4netns-ppc64le
+041f9fe507510de1fbb802933a6add093ff19f941185965295c81f2ba4fc9cec  slirp4netns-riscv64
+aa39cf14414ae53dbff6b79dfdfa55b5ff8ac5250e2261804863cd365b33a818  slirp4netns-s390x
+4d55a3658ae259e3e74bb75cf058eb05d6e39ad6bbe170ca8e94c2462bea0eb1  slirp4netns-x86_64