You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the same source is built on two different machines, ideally, they should produce the same binary, same image, same layer digests, same config diffids, etc.
This isn't the case today. If you take a recent ghcr.io/google/ko image produced by CI, and try to build the same image from the same commit, using the same Go compiler version, and using the same base image by digest (aided by #592), you still end up with different images.
$ git checkout f8d0aca1abeab6cf3d1800d15acc0592c7c976b7
$ ci=ghcr.io/google/ko@sha256:8fa68c86562684f946e92086a6a4d1f17ee116fff32e157e68f96dbf948b0783
# set base image to golang:1.17@digest in .ko.yaml, based on CI build logs
$ local=$(KO_DOCKER_REPO=gcr.io/imjasonh go run ./ build ./ --platform=all)
...
2022/02/11 11:01:22 Published gcr.io/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e@sha256:73d4746ef0423a24b2e36705d5f648f8f6ed8ad2f70a74c43a1d799ea4135936
Note these images have different digests.
Only considering --platform=linux/amd64 for now, their manifests differ in the top layers produced by ko:
These are different sizes, and have different buildids embedded:
$ go tool buildid cibin
wfsXdWzess1HPZwqxpza/w1W8Gpkeb188ZJ6UexW7/fAQZlgOa-X8oaRDhGERu/OOojyWok9JTAbBpACeWS
$ go tool buildid localbin
fURyWN8_9H1KmClFNJrE/HWiELKLTvC1MFSvyxVmG/dsAR_RpmjFrxsRtRLtDJ/n5VsQTn6NFmq0lhuM8r4
We use buildid to avoid rebuilding/compressing/digesting binaries when KOCACHE is set, but I think maybe if KOCACHE isn't set we should consider also passing -ldflags=-buildid= as recommended here
Or, perhaps making it an opt-in choice like ko build ./ --reproducible?
The text was updated successfully, but these errors were encountered:
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.
If the same source is built on two different machines, ideally, they should produce the same binary, same image, same layer digests, same config diffids, etc.
This isn't the case today. If you take a recent
ghcr.io/google/ko
image produced by CI, and try to build the same image from the same commit, using the same Go compiler version, and using the same base image by digest (aided by #592), you still end up with different images.Note these images have different digests.
Only considering
--platform=linux/amd64
for now, their manifests differ in the top layers produced by ko:Configs diff only in the last diffID:
The Go binaries in each image:
These are different sizes, and have different buildids embedded:
We use buildid to avoid rebuilding/compressing/digesting binaries when
KOCACHE
is set, but I think maybe ifKOCACHE
isn't set we should consider also passing-ldflags=-buildid=
as recommended hereOr, perhaps making it an opt-in choice like
ko build ./ --reproducible
?The text was updated successfully, but these errors were encountered: