argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Reproducible builds cause undefined image selection

Open janpieper opened this issue 3 years ago • 0 comments

Describe the bug

Some build tools (e.g. jib) set a static value for the layer/image creation date (e.g. 1970-01-01T00:00:00) to allow reproducible builds. This causes issues when using e.g. the latest update-strategy because the image updater sorts the images by their creation date. In those cases it is undefined what image gets selected as the new image. In theory, the image updater could choose a different image on each run.

To Reproduce

Push two or more images with the same creation date to the registry and use the latest strategy.

Expected behavior

I can currently think of two ways to handle those cases:

  1. Log a warning message so you can identify this issue
  2. Handle as an error because we cannot guarantee the image updater selects the correct image

It's also important to keep in mind that even if the devs re-configure their build tools to include a current timestamp, the registry will most likely still have images with the static value.

Additional context

  • https://reproducible-builds.org
  • https://reproducible-builds.org/docs/timestamps/
  • https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#why-is-my-image-created-48-years-ago

Version

0.11.0

Logs

None

janpieper avatar Dec 06 '21 11:12 janpieper