Hi,
Thanks for your work on diffoci!
Please correct me if I'm wrong, but it seems to me that it is not currently possible to use diffoci to verify reproducibility of an image with the default (non --semantic) mode, given the following "paradox":
I'm aware this is more of a Docker issue/limitation, but it's a bit paradoxical to not be able to fully satisfy diffoci from a technical point of view. The --semantic (a.k.a non-strict) mode allows a successful test, but it ignores too many attributes to be a fair representation of reproducibility IMHO. For instance, I was able to fix/normalize timestamps and file ordering (which are ignored with this mode), the unavoidable difference in image name annotations is the only remaining attribute that diffoci reports on my side.
As far as I can tell, the image name annotations are specific to metadata handling in container tooling, and do not affect the actual filesystem contents of the image. As a matter of fact, they do not appear to be part of the hashed object when generating the image digest, as a difference in image name annotations between my two images does not prevent digest equality.
As such, I'd like to suggest ignoring image name annotations by default (not only with --semantic). Assuming that the above observations are correct, it feels a bit weird not being able to satisfy diffoci in non-strict mode for something that is currently unavoidable & cannot be fixed or work around (as opposed to other attributes ignored by the --semantic mode) and that doesn't even go in the way of reproducibility (as far as I can tell).
Alternatively a dedicated flag specifically for image name annotation (whether it is to ignore it or take it into consideration) could eventually be added, rather than bundling it with other attributes in the --semantic flag.
Thanks again for your your work on diffoci and for your consideration!
Hi,
Thanks for your work on
diffoci!Please correct me if I'm wrong, but it seems to me that it is not currently possible to use
diffocito verify reproducibility of an image with the default (non--semantic) mode, given the following "paradox":diffociwill complain about).I'm aware this is more of a Docker issue/limitation, but it's a bit paradoxical to not be able to fully satisfy
diffocifrom a technical point of view. The--semantic(a.k.a non-strict) mode allows a successful test, but it ignores too many attributes to be a fair representation of reproducibility IMHO. For instance, I was able to fix/normalize timestamps and file ordering (which are ignored with this mode), the unavoidable difference in image name annotations is the only remaining attribute thatdiffocireports on my side.As far as I can tell, the image name annotations are specific to metadata handling in container tooling, and do not affect the actual filesystem contents of the image. As a matter of fact, they do not appear to be part of the hashed object when generating the image digest, as a difference in image name annotations between my two images does not prevent digest equality.
As such, I'd like to suggest ignoring image name annotations by default (not only with
--semantic). Assuming that the above observations are correct, it feels a bit weird not being able to satisfydiffociin non-strict mode for something that is currently unavoidable & cannot be fixed or work around (as opposed to other attributes ignored by the--semanticmode) and that doesn't even go in the way of reproducibility (as far as I can tell).Alternatively a dedicated flag specifically for image name annotation (whether it is to ignore it or take it into consideration) could eventually be added, rather than bundling it with other attributes in the
--semanticflag.Thanks again for your your work on
diffociand for your consideration!