Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: document PackManifestOptions to make PackManifest reproducible #748

Closed
shizhMSFT opened this issue Apr 23, 2024 · 2 comments · Fixed by #749
Closed

docs: document PackManifestOptions to make PackManifest reproducible #748

shizhMSFT opened this issue Apr 23, 2024 · 2 comments · Fixed by #749
Assignees
@wangxiaoxuan273
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Milestone
v2.6.0

Comments

@shizhMSFT
Copy link
Contributor

shizhMSFT commented Apr 23, 2024
edited

PackManifest packs an artifact by generating a manifest with annotation org.opencontainers.image.created.

Each time calling PackManifest, a new time stamp is generated for org.opencontainers.image.created even with the same content. Therefore, building an artifact is not reproducible.

The PackManifest method can be reproducible when ocispec.AnnotationCreated is set. However, this fact is not called out in the docs of PackManifestOptions as well as PackManifest.

This request is to enhance the documentation for reproducibility of PackManifest.
@shizhMSFT shizhMSFT added documentation Improvements or additions to documentation enhancement New feature or request labels Apr 23, 2024
@shizhMSFT shizhMSFT added this to the v2.6.0 milestone Apr 23, 2024
@shizhMSFT shizhMSFT mentioned this issue Apr 23, 2024
Open
1 task
@wangxiaoxuan273 wangxiaoxuan273 mentioned this issue Apr 23, 2024
Merged
@cunningr
Copy link

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

@wangxiaoxuan273
Copy link
Contributor

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

Regarding oras-cli, this is our proposed solution to ensure deterministic builds. This issue is for the library oras-go, we need to tell the users of the library the behavior of PackManifest regarding the timestamp annotation.

Wwwsylvia pushed a commit that referenced this issue May 20, 2024
@wangxiaoxuan273
docs: document PackManifestOptions to make PackManifest reproducible (#…
aef90e4 
…749)

Resolves #748

Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wangxiaoxuan273 wangxiaoxuan273

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
v2.6.0
Development

Successfully merging a pull request may close this issue.

docs: document PackManifestOptions to make PackManifest reproducible wangxiaoxuan273/oras-go
3 participants
@cunningr @shizhMSFT @wangxiaoxuan273