What is the version of your ORAS CLI
v1.2.0
What would you like to be added?
Deterministically generate manifests for oras push and oras attach if the same content (e.g. blobs, annotations) are packed.
Related issue: oras-project/oras-go#748, oras-project/oras-www#366
If the to-be uploaded file is a folder, ORAS will pack the folder as a tarball archive. The last modified time(mtime) is include in the archive so the digest of the packed tarball changes even when file content are identical. oras CLI should provide a flag to strip out the time info so the packing is deterministic.
Related PR: #126
Why is this needed for ORAS?
With deterministic builds (a.k.a. reproducible builds), the oras push command will not push two different manifests. Deterministic builds also play an important role in CSSC (see blog).
Are you willing to submit PRs to contribute to this feature?
What is the version of your ORAS CLI
v1.2.0
What would you like to be added?
Deterministically generate manifests for oras push and oras attach if the same content (e.g. blobs, annotations) are packed.
Related issue: oras-project/oras-go#748, oras-project/oras-www#366
If the to-be uploaded file is a folder, ORAS will pack the folder as a tarball archive. The last modified time(mtime) is include in the archive so the digest of the packed tarball changes even when file content are identical.
orasCLI should provide a flag to strip out the time info so the packing is deterministic.Related PR: #126
Why is this needed for ORAS?
With deterministic builds (a.k.a. reproducible builds), the oras push command will not push two different manifests. Deterministic builds also play an important role in CSSC (see blog).
Are you willing to submit PRs to contribute to this feature?