Description of problem:
As described in (https://github.com/containers/buildah/issues/1048) when an image is already present with buildah in a seperate registry, it will force-push it anyway the first time.

This is better described in this unfinished commit here:

https://github.com/containers/image/pull/550

In essence, in CI/CD pipelines where buildah is run in a fresh environment every time, it forces a lot of extra traffic and uploading if an image is pushed to a second location where it already exists. Docker does not do this and will query the second registry for the same image hashes and decide not to push it, whereas c/image will at the moment currently still re-push exactly the same content (the first time).

An example. Pull an image, tag it, and push it again:

$ buildah pull registry.fedoraproject.org/fedora-minimal
$ buildah tag registry.fedoraproject.org/fedora-minimal quay.io/robbmanes/trashcan-image
$ buildah push quay.io/robbmanes/trashcan-image

This does exactly what you expect, and if you try to re-push the image from this system it will skip the appropriate layers:

$ buildah push quay.io/robbmanes/trashcan-image
Getting image source signatures
Copying blob a3497ca15bbf skipped: already exists
Copying config f7e02de757 done
Writing manifest to image destination
Storing signatures

However, if you run the exact same operation from a new environment (such as in a container or in a CI/CD pipeline) it will re-push the same image despite absolutely nothing changing on the destination:

$ sudo podman run -it --rm --name buildah registry.redhat.io/ubi8/buildah bash
[root@1b1f838c9d5b /]# buildah pull registry.fedoraproject.org/fedora-minimal
[root@1b1f838c9d5b /]# buildah tag registry.fedoraproject.org/fedora-minimal quay.io/robbmanes/trashcan-image
[root@1b1f838c9d5b /]# buildah push quay.io/robbmanes/trashcan-image
Getting image source signatures
Copying blob a3497ca15bbf done
Copying config f7e02de757 [--------------------------------------] 0.0b / 1.3KiB
Writing manifest to image destination
Storing signatures

Having c/image behave in such a way that it checks the blobs on upload against the destination would prevent this from happening. Unfortunately, https://github.com/containers/image/pull/550 looks abandoned and may not be the best method moving forward from my (and others) review.

Version-Release number of selected component (if applicable):
Any

How reproducible:
Every time

Actual results:
Layer is not checked for matching content and is re-pushed despite no changes.

Expected results:
Matching layer should be detected and should not force a re-push of the same content to the destination registry.

Additional info:
This is reported in buildah as the component because I didn't know how to file against the main library for images in our container-tools suite (https://github.com/containers/image).

I'll be happy to take a shot at it, time permitting as well.