Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make skaffold reproducible #6238

Merged
merged 1 commit into from
Jul 21, 2021
Merged

Make skaffold reproducible #6238

merged 1 commit into from
Jul 21, 2021

Conversation

jelly
Copy link
Contributor

@jelly jelly commented Jul 19, 2021

Use SOURCE_DATE_EPOCH to set the previous build date when rebuilding a
built binary.

Motivation: https://reproducible-builds.org/

Description

To make this package reproducible in Arch Linux and other distributions, we require SOURCE_DATE_EPOCH to be read if set, so when we are rebuilding an old package we can set the old build date which removes the build variation.

The problem can be spotted here https://reproducible.archlinux.org/api/v0/builds/137544/diffoscope

@jelly
Make skaffold reproducible
462d621 
Use SOURCE_DATE_EPOCH to set the previous build date when rebuilding a
built binary.

Motivation: https://reproducible-builds.org/
@jelly jelly requested a review from a team as a code owner July 19, 2021 11:42
@jelly jelly requested a review from MarlonGamez July 19, 2021 11:42
@google-cla google-cla bot added the cla: yes label Jul 19, 2021
@codecov
Copy link

codecov bot commented Jul 19, 2021

Codecov Report

Merging #6238 (462d621) into master (10e6b23) will increase coverage by 0.00%.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #6238   +/-   ##
=======================================
  Coverage   70.82%   70.83%           
=======================================
  Files         487      487           
  Lines       22048    22048           
=======================================
+ Hits        15616    15618    +2     
+ Misses       5425     5424    -1     
+ Partials     1007     1006    -1
Impacted Files Coverage Δ
pkg/skaffold/docker/parse.go 87.39% <0.00%> (-0.85%) ⬇️
pkg/skaffold/util/tar.go 57.47% <0.00%> (+4.59%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 10e6b23...462d621. Read the comment docs.

@tejal29
Copy link
Contributor

tejal29 commented Jul 20, 2021

@jelly just curious, how would you know what should be the value of SOURCE_DATE_EPOCH when trying to reproduce the build for a date in past?

@jelly
Copy link
Contributor Author

jelly commented Jul 21, 2021

@jelly just curious, how would you know what should be the value of SOURCE_DATE_EPOCH when trying to reproduce the build for a date in past?

Arch Linux ships skaffold as an Arch Linux package when building we record the build time and store this with other meta-data about the build environment in a .BUILDINFO file.

When we reproduce the build package, we extract the meta-data and re-construct the build environment and set the SOURCE_DATE_EPOCH variable to the build time of the package. This makes the reproduced package to be build with the exact same time as the original package.

More information can be found in these links:
https://man.archlinux.org/man/core/pacman/makepkg.8.en#REPRODUCIBILITY
https://reproducible-builds.org/docs/source-date-epoch/

@tejal29
Copy link
Contributor

tejal29 commented Jul 21, 2021

@jelly just curious, how would you know what should be the value of SOURCE_DATE_EPOCH when trying to reproduce the build for a date in past?

Arch Linux ships skaffold as an Arch Linux package when building we record the build time and store this with other meta-data about the build environment in a .BUILDINFO file.

When we reproduce the build package, we extract the meta-data and re-construct the build environment and set the SOURCE_DATE_EPOCH variable to the build time of the package. This makes the reproduced package to be build with the exact same time as the original package.

More information can be found in these links:
https://man.archlinux.org/man/core/pacman/makepkg.8.en#REPRODUCIBILITY
https://reproducible-builds.org/docs/source-date-epoch/

Thanks for the explanation.

@tejal29 tejal29 enabled auto-merge (squash) July 21, 2021 16:26
@tejal29 tejal29 disabled auto-merge July 21, 2021 16:27
@tejal29 tejal29 merged commit 8c34f1e into GoogleContainerTools:main Jul 21, 2021
@jelly jelly deleted the reproduciblebuilds branch August 3, 2021 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tejal29 tejal29 tejal29 approved these changes

@MarlonGamez MarlonGamez Awaiting requested review from MarlonGamez

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jelly @tejal29