ProdNG image generation, getting a secure image.

Each new image to push is generated from scratch using the latest qualified packages we want to include into it (around 150 base Linux packages).
Then we have an image diff tool that shows diffs in ASCII files, list of files and permissions between 2 images.
Package rebuilds revert mtime only changes, and squash binary changes due to dates (like gzip of the same man page gives a new binary each time because gzip encodes the time in the .gz file). Same thing for .pyc files.
As a result, rebuilding an image with the same input packages is reproducible and gives the same output.

Each new image to push is generated from scratch using the latest qualified packages we want to include into it (around 150 base Linux packages).