Reproducible Builds (SOURCE_DATE_EPOCH)

[cmeyertons]

Docker BuildKit supports reproducible builds by setting the env var SOURCE_DATE_EPOCH=0

It appears the OCI default labels does not respect this value,

This is a nice tool for teams to leverage in order to perform digest pinning, etc in their deployment pipelines (a new commit doesn't necessitate a re-deployment of infrastructure if the SHA didn't change, etc)

[rainersigwald]

This may not be all that's required for #34 but it's great precedent and would probably go a long way.

[baronfel]

I wonder if this flag would be interesting to the whole SDK too, independent of any integration into the containers-building portion of the tooling.

[rainersigwald]

I'd say "no" other than maybe setting $(Deterministic) if it's set. The biggest thing in the containers work is the tarball timestamps IIRC; Roslyn should do a pretty good job keeping things bit-for-bit identical otherwise.

[baronfel]

Details on the impacts of this value in the Docker tooling (from the linked docs) are:

The build arg value is used for:

the created timestamp in the OCI Image Config
the created timestamp in the history objects in the OCI Image Config
the org.opencontainers.image.created annotation in the OCI Image Index
the timestamp of the files exported with the local exporter
the timestamp of the files exported with the tar exporter

[cmeyertons]

Also, worth noting that SOURCE_DATE_EPOCH is not Docker-specific and is standards-based.