@dmbaturin , @Viacheslav - I use debian snapshot repository when building VyOS LTS on my own.

In order to get that going, the following apt setting needs to be set to false:

Acquire::Check-Valid-Until

I fix that the following way in my build-script:

# Determine date of tag in proper format
date="$(git log --tags --simplify-by-decoration --pretty="format:%aI %d"  | grep " $version)"  | sed 's/-//g;s/://g;s/\+.*//g')Z"
archive_url="https://snapshot.debian.org/archive/debian/$date/"
archive_security_url="https://snapshot.debian.org/archive/debian-security/$date/"

# Export build env, for other steps
echo "VYOS_DEBIAN_MIRROR=$archive_url" >> build.env
echo "VYOS_DEBIAN_MIRROR_SECURITY=$archive_security_url" >> build.env

# Allow older packages
sed -i 's/-oAPT::Get::allow-downgrades=true/-oAPT::Get::allow-downgrades=true -oAcquire::Check-Valid-Until=false/g' $(readlink -f build-vyos-image) 

# Build
./build-vyos-image $type --debian-mirror "$VYOS_DEBIAN_MIRROR" --pbuilder-debian-mirror "$VYOS_DEBIAN_MIRROR" --debian-security-mirror "$VYOS_DEBIAN_MIRROR_SECURITY" --architecture amd64 --build-by "some-mail"  --build-type release --version "$version"

Opening a PR for the "-oAcquire::Check-Valid-Until=false"-Option is still on my todo list, would that go into the direction that you are looking for? If yes, I'll do some adjustments that set that setting to false in case somebody is using snapshot repos and open a PR on GitHub.

Regarding reproducible builds: It's really hard to determine which version of packages / which debian snapshot the "official" LTS iso has been built. I would actually imagine that with setting a tag in the build script, also the proper snapshot url gets set as default for this tag. This would then actually create reproducible builds, at least regarding package versions. In order to make them really reproducible (as in: yields the same hash for the iso file), I guess more work needs to be done.