Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62749

[RFE] ubi9 build is reproducible

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Moderate
    • rhel-container-tools
    • 13
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Known Issue
    • Hide
      .UBI images are not reproducible
      The `podman build` and `buildah build` commands avoid introducing inconsistencies between builds that use the same set of inputs when you invoke them with the following:
      * The `--rewrite-timestamp` flag
      * The `--source-date-epoch` flag , an equivalent build arg or environment value that you set when starting the build.

      You need to update tools that you invoke using `RUN` instructions to avoid producing nondeterministic output when they have` $SOURCE_DATE_EPOCH` set in their environment. This applies to components that we deliver in RHEL.

      Also, depending on which tools or versions of those tools you run during a build, you might not be able to build specific images reproducibly.
      Show
      .UBI images are not reproducible The `podman build` and `buildah build` commands avoid introducing inconsistencies between builds that use the same set of inputs when you invoke them with the following: * The `--rewrite-timestamp` flag * The `--source-date-epoch` flag , an equivalent build arg or environment value that you set when starting the build. You need to update tools that you invoke using `RUN` instructions to avoid producing nondeterministic output when they have` $SOURCE_DATE_EPOCH` set in their environment. This applies to components that we deliver in RHEL. Also, depending on which tools or versions of those tools you run during a build, you might not be able to build specific images reproducibly.
    • In Progress
    • Required
    • Done
    • Not Required
    • None

      https://reproducible-builds.org/ provide real value for us and customers, helping ensure at least two things:

      • Avoiding "change amplification" where e.g. a rebuild triggered because of a change to something like a LABEL in the containerfile doesn't result in a pointless regeneration of the tarball, causing customers to need to redownload it. And in general we need to provide best practices and guidance for our own container builds and for customers to avoid "base image change amplification" where updating the base layer causes the rebuild of the higher layers to result in a new tarball, meaning we push a pointless change to the registry which customer unnecessarily redownloads for the app
      • Reproducible builds prove that our binary artifacts came from the sources we claim they did.

      In this epic we will do a spike to show that our build of ubi9 is reproducible.

              rhn-engineering-nalin Nalin Dahyabhai
              walters@redhat.com Colin Walters
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: