Comments (6)
docker/cli#3778 addresses this issue in the Docker CLI, so that images reporting as built before 2000 aren't shown as X years ago
, but instead N/A
.
When that change is released (assuming December), we should stop bumping the created-at date every day, basically resurrecting chainguard-images/actions#30.
from images.
Just reading https://www.chainguard.dev/unchained/conquer-your-build-horizon-with-chainguard-enforce-in-2023 I suggest we just use last commit date for our CG images. Could we just do this now?
from images.
Just reading https://www.chainguard.dev/unchained/conquer-your-build-horizon-with-chainguard-enforce-in-2023 I suggest we just use last commit date for our CG images. Could we just do this now?
I thought about this a bit more, and I don't think we can. Or we can, but it might become misleading.
There are roughly two sources of "changes" to an image we build:
- the apko.yaml file in the source repo
- the packages in the apk repo
Setting SOURCE_DATE_EPOCH=$(git show -s --format=%at HEAD)
would make the image's created-at date based only on source updates, basically (1).
The problem is that even if you don't change your apko.yaml in GitHub, requesting a package like packages: ['busybox']
in the config might install busybox-1.34.1-r0
today, but could install busybox-1.35.4-r5
tomorrow. The config contents hasn't changed, but the image contents might have. We'd be ignoring (2). An image could be "created at" a time before one of its packages even existed.
The root of this issue is that, if the source contents haven't changed, and the packages haven't changed, then the timestamp shouldn't change either. This is what we're getting wrong today: identical config+packages still bumps the created-at time, because we always set it to "now".
We could also tie (1) to (2), and always explicitly request packages by exact version (packages: ['busybox-1.34.1.-r0']
), but that would get really tedious and brittle and noisy. Nobody wants to live like this.
So ideally we should come up with some way to grab the installed packages' created-at times, and set the image's created-at time to max(commit-time, package-update-times...)
. I'm not sure the best way to do that today.
edit to add: I think this logic seems sufficiently complex and in need of testing that we should write it in Go instead of Bash. This might be better behavior to bake into apko (possibly as the default?) than to hack together just for our images.
from images.
There's a third source of change: the apko version used to build the image. Luckily we have this in apko's version info.
Also worth considering, now that we build images from the monorepo we need to ignore changes to other files. For (1), instead of "date of last commit" it should be "date of last commit affecting the build config"
Definitely sounds like something apko should be responsible for.
from images.
keep in mind that SOURCE_DATE_EPOCH
needs to be respected regardless, because SBOM data gets embedded in apks
from images.
The problem is that even if you don't change your apko.yaml in GitHub, requesting a package like
packages: ['busybox']
in the config might installbusybox-1.34.1-r0
today, but could installbusybox-1.35.4-r5
tomorrow.
Would this (chainguard-dev/apko#185) solve that problem?
from images.
Related Issues (20)
- [Image Request]: frpc/frps
- [BUG] Documentation on `pytorch-cuda12` Missing Beginning of `gcloud` Command HOT 1
- Describe the issue/request
- [Image Request]: aws-cli-v2 image HOT 1
- Keycloack - how to import realm from json config file? HOT 2
- Trying to run corepack in `node`/`node-lts` results in `corepack: not found`
- [Image Request]: kube-oidc-proxy
- How to add custom modules to Caddy Image?
- [Image Request]: gomplate
- Rust image missing rustdoc despite documentation claiming that it is included
- Attempt to open cnn_infer failed (libcudnn_cnn_infer.so.8 linking) HOT 1
- Consider publishing images to Amazon ECR Public Gallery HOT 2
- Apex not included in NeMo image HOT 1
- Update maven example to handle "cannot create resource output directory" error
- Superset - Missing static files
- `directory index of "/usr/share/nginx/html/" is forbidden` when mounting a file into nginx container
- pytorch-cuda12: Investigate and fix timing out helm based test HOT 1
- [Image Request]: node image with bash? HOT 2
- wolf-base breakage due to delta on docker hub vs chain guard registry HOT 6
- Thanos latest sidecar bug HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from images.