Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make oras push and oras attach deterministic #1464

Open
1 task
qweeah opened this issue Jul 30, 2024 · 0 comments
Open
1 task

make oras push and oras attach deterministic #1464

qweeah opened this issue Jul 30, 2024 · 0 comments
Labels
enhancement New feature or request spec required Issues that require specifications
Milestone
v1.3.0

Comments

@qweeah
Copy link
Contributor

qweeah commented Jul 30, 2024

What is the version of your ORAS CLI

v1.2.0

What would you like to be added?

Deterministically generate manifests for oras push and oras attach if the same content (e.g. blobs, annotations) are packed.

Related issue: oras-project/oras-go#748, oras-project/oras-www#366

If the to-be uploaded file is a folder, ORAS will pack the folder as a tarball archive. The last modified time(mtime) is include in the archive so the digest of the packed tarball changes even when file content are identical. oras CLI should provide a flag to strip out the time info so the packing is deterministic.

Related PR: #126

Why is this needed for ORAS?

With deterministic builds (a.k.a. reproducible builds), the oras push command will not push two different manifests. Deterministic builds also play an important role in CSSC (see blog).

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@qweeah qweeah added enhancement New feature or request triage New issues or PRs to be acknowledged by maintainers and removed triage New issues or PRs to be acknowledged by maintainers labels Jul 30, 2024
@qweeah qweeah added this to the v1.3.0 milestone Jul 30, 2024
@qweeah qweeah mentioned this issue Jul 30, 2024
Open
1 task
@shizhMSFT shizhMSFT added the spec required Issues that require specifications label Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request spec required Issues that require specifications
Projects
None yet
Milestone
v1.3.0
Development

No branches or pull requests
2 participants
@qweeah @shizhMSFT