Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62749

[RFE] ubi9 build is reproducible

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Moderate
    • rhel-container-tools
    • 13
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Known Issue
    • Hide
      .UBI images are not reproducible
       
      The `podman build` and `buildah build` commands avoid introducing inconsistencies between builds that use the same set of inputs when you invoke them with the following arguments:

      * `--rewrite-timestamp`
      * `--source-date-epoch`, an equivalent build argument or environment value that you set when starting the build.

      To work around this problem, invoke the `podman build` or `buildah build` commands with the `--rewrite-timestamp` and `--source-date-epoch` arguments to minimize build inconsistencies. Additionally, update tools invoked in `RUN` instructions to avoid producing nondeterministic output when the `$SOURCE_DATE_EPOCH` environment variable is set.

      Some tools or tool versions might still produce nondeterministic output, and you might not be able to build specific images reproducibly.
      Show
      .UBI images are not reproducible   The `podman build` and `buildah build` commands avoid introducing inconsistencies between builds that use the same set of inputs when you invoke them with the following arguments: * `--rewrite-timestamp` * `--source-date-epoch`, an equivalent build argument or environment value that you set when starting the build. To work around this problem, invoke the `podman build` or `buildah build` commands with the `--rewrite-timestamp` and `--source-date-epoch` arguments to minimize build inconsistencies. Additionally, update tools invoked in `RUN` instructions to avoid producing nondeterministic output when the `$SOURCE_DATE_EPOCH` environment variable is set. Some tools or tool versions might still produce nondeterministic output, and you might not be able to build specific images reproducibly.
    • Done
    • Done
    • Done
    • Not Required
    • None

      https://reproducible-builds.org/ provide real value for us and customers, helping ensure at least two things:

      • Avoiding "change amplification" where e.g. a rebuild triggered because of a change to something like a LABEL in the containerfile doesn't result in a pointless regeneration of the tarball, causing customers to need to redownload it. And in general we need to provide best practices and guidance for our own container builds and for customers to avoid "base image change amplification" where updating the base layer causes the rebuild of the higher layers to result in a new tarball, meaning we push a pointless change to the registry which customer unnecessarily redownloads for the app
      • Reproducible builds prove that our binary artifacts came from the sources we claim they did.

      In this epic we will do a spike to show that our build of ubi9 is reproducible.

              rhn-engineering-nalin Nalin Dahyabhai
              walters@redhat.com Colin Walters
              Colin Walters, Nalin Dahyabhai
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: