oras icon indicating copy to clipboard operation
oras copied to clipboard
verified publisher icon oras-project

make `oras push` and `oras attach` deterministic

Open qweeah opened this issue 1 year ago • 0 comments

What is the version of your ORAS CLI

v1.2.0

What would you like to be added?

Deterministically generate manifests for oras push and oras attach if the same content (e.g. blobs, annotations) are packed.

Related issue: https://github.com/oras-project/oras-go/issues/748, https://github.com/oras-project/oras-www/issues/366

If the to-be uploaded file is a folder, ORAS will pack the folder as a tarball archive. The last modified time(mtime) is include in the archive so the digest of the packed tarball changes even when file content are identical. oras CLI should provide a flag to strip out the time info so the packing is deterministic.

Related PR: https://github.com/oras-project/oras/pull/126

Why is this needed for ORAS?

With deterministic builds (a.k.a. reproducible builds), the oras push command will not push two different manifests. Deterministic builds also play an important role in CSSC (see blog).

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

qweeah avatar Jul 30 '24 07:07 qweeah