-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assert that builds are reproducible #811
Assert that builds are reproducible #811
Comments
The only piece of the Ruby buildpack keeping us from completing this item is the |
So it sounds like there's no more work we can do here, and instead we should document the known limitations. I'll take that responsibility and assign myself the issue. |
Describe the Enhancement
Builds with this buildpack should be reproducible, meaning given identical inputs, the SHAs of resulting buildpack-built images are the same. This means, for a given app, if I run:
and then run
with the same source code and configurations, the resulting image SHAs should be the same.
Currently, builds are not reproducible because of SBOMs included in the final app image. See paketo-buildpacks/packit#367 and paketo-buildpacks/packit#368. But once those issues are resolved and a new version of packit has been released, we should expect that the buildpack builds are reproducible.
Possible Solution
Add assertions to integration tests that show that two builds with the same inputs produce identical outputs.
Motivation
Build reproducibility is a selling point of CNBs that we want to provide to Paketo buildpack users. We want to know if future implementation decisions compromise build reproducibility.
The text was updated successfully, but these errors were encountered: