search

oras-project / oras-go

ORAS Go library
https://oras.land
Apache License 2.0
168 stars 90 forks source link

docs: document `PackManifestOptions` to make `PackManifest` reproducible #748

Closed shizhMSFT closed 1 month ago

shizhMSFT commented 2 months ago

PackManifest packs an artifact by generating a manifest with annotation org.opencontainers.image.created.

Each time calling PackManifest, a new time stamp is generated for org.opencontainers.image.created even with the same content. Therefore, building an artifact is not reproducible.

The PackManifest method can be reproducible when ocispec.AnnotationCreated is set. However, this fact is not called out in the docs of PackManifestOptions as well as PackManifest.

This request is to enhance the documentation for reproducibility of PackManifest.

cunningr commented 2 months ago

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

wangxiaoxuan273 commented 2 months ago

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

Regarding oras-cli, this is our proposed solution to ensure deterministic builds. This issue is for the library oras-go, we need to tell the users of the library the behavior of PackManifest regarding the timestamp annotation.