From 61351819c1c100b499cc4802964d80b32c0e2e16 Mon Sep 17 00:00:00 2001 From: Natalie Arellano Date: Fri, 11 Feb 2022 09:58:52 -0500 Subject: [PATCH 1/3] Add mechanism for platform to provide image creation time. Signed-off-by: Natalie Arellano --- platform.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/platform.md b/platform.md index ebbb5434..159706db 100644 --- a/platform.md +++ b/platform.md @@ -872,6 +872,9 @@ To achieve reproducibility the lifecycle SHOULD set the following to a constant, - file modification times in generated layers - image creation time +The platform MAY set `SOURCE_DATE_EPOCH` in the lifecycle execution environment, where the value of `SOURCE_DATE_EPOCH` MUST be a [UNIX timestamp](https://reproducible-builds.org/specs/source-date-epoch/). +If `SOURCE_DATE_EPOCH` is set, the lifecycle SHOULD set the image creation time to its value. + Because compressions algorithms and manifest whitespace affect the image digest, an app image exported to the docker daemon and subsequently pushed to a registry MAY have a different digest than an app image exported directly to a registry by the lifecycle, even when all other inputs are held constant. If buildpacks do not generate layer contents or layer metadata reproducibly, builds MAY NOT be reproducibile even when identical source code and buildpacks are provided to the lifecycle. From d6060b7c0b3a86b7cec27d901b66d84a7f925be2 Mon Sep 17 00:00:00 2001 From: Natalie Arellano Date: Wed, 16 Feb 2022 13:56:02 -0500 Subject: [PATCH 2/3] Add details for exporter Signed-off-by: Natalie Arellano --- platform.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/platform.md b/platform.md index 159706db..ea8f592f 100644 --- a/platform.md +++ b/platform.md @@ -546,6 +546,7 @@ Usage: | `` | `CNB_STACK_PATH` | `/cnb/stack.toml` | Path to stack file (see [`stack.toml`](#stacktoml-toml) | `` | `CNB_USER_ID` | | UID of the build image `User` | `/config/metadata.toml` | | | Build metadata (see [`metadata.toml`](#metadatatoml-toml) +| | `SOURCE_DATE_EPOCH` | | Timestamp for `created` time in app image config | - At least one `` must be provided - Each `` MUST be a valid tag reference @@ -601,7 +602,7 @@ Usage: - `io.buildpacks.build.metadata`: see [build metadata](#iobuildpacksbuildmetadata-json) - To ensure [build reproducibility](#build-reproducibility), the lifecycle: - SHOULD set the modification time of all files in newly created layers to a constant value - - SHOULD set the `created` time in image config to a constant value + - SHOULD set the `created` time in image config to `SOURCE_DATE_EPOCH`, or to a constant value if not defined - The lifecycle SHALL write a [report](#reporttoml-toml) to `` describing the exported app image From a3ff2cbe3897309f2ce0dccd74828372276b5c6f Mon Sep 17 00:00:00 2001 From: Natalie Arellano Date: Wed, 16 Mar 2022 10:09:25 -0400 Subject: [PATCH 3/3] Remove superfluous wording in reproducibility Signed-off-by: Natalie Arellano --- platform.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/platform.md b/platform.md index ea8f592f..1384d15a 100644 --- a/platform.md +++ b/platform.md @@ -873,9 +873,6 @@ To achieve reproducibility the lifecycle SHOULD set the following to a constant, - file modification times in generated layers - image creation time -The platform MAY set `SOURCE_DATE_EPOCH` in the lifecycle execution environment, where the value of `SOURCE_DATE_EPOCH` MUST be a [UNIX timestamp](https://reproducible-builds.org/specs/source-date-epoch/). -If `SOURCE_DATE_EPOCH` is set, the lifecycle SHOULD set the image creation time to its value. - Because compressions algorithms and manifest whitespace affect the image digest, an app image exported to the docker daemon and subsequently pushed to a registry MAY have a different digest than an app image exported directly to a registry by the lifecycle, even when all other inputs are held constant. If buildpacks do not generate layer contents or layer metadata reproducibly, builds MAY NOT be reproducibile even when identical source code and buildpacks are provided to the lifecycle.