Context
Recently, a user found that in some instances, multiple builds on the same source code produce images with different digests (see this thread). The user expected that the build would've produced the same image. This issue appears to have cropped up without our knowledge since we did not have language-family level tests for reproducibility. This latest occurrence may be related to the SBOM work we recently added.
Issue
We should perform an investigation across all of our language family buildpacks to determine the status of build reproducibility. For any buildpacks that do not produce reproducible images, we should file an issue to flag that and (hopefully) resolve it down the line. The issues file should include an outcome about adding a test at the language-test level.
Buildpacks to investigate:
Context
Recently, a user found that in some instances, multiple builds on the same source code produce images with different digests (see this thread). The user expected that the build would've produced the same image. This issue appears to have cropped up without our knowledge since we did not have language-family level tests for reproducibility. This latest occurrence may be related to the SBOM work we recently added.
Issue
We should perform an investigation across all of our language family buildpacks to determine the status of build reproducibility. For any buildpacks that do not produce reproducible images, we should file an issue to flag that and (hopefully) resolve it down the line. The issues file should include an outcome about adding a test at the language-test level.
Buildpacks to investigate: