Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible Tarballs #2199

Closed
Noxsios opened this issue Dec 15, 2023 · 0 comments · Fixed by #2210
Closed

Reproducible Tarballs #2199

Noxsios opened this issue Dec 15, 2023 · 0 comments · Fixed by #2210
Labels
tech-debt 💳 Debt that the team has charged and needs to repay
Milestone
The Bucket

Comments

@Noxsios
Copy link
Contributor

Noxsios commented Dec 15, 2023
edited
Loading

Describe what should be investigated or refactored

Component tarballs are not reproducible, needs investigation as to which tar headers need to be stripped similar to:

oras-project/oras-go@93c4cc2

https://github.com/moby/moby/blob/v24.0.7/pkg/archive/archive.go#L464

Additional context

Reach out to @Noxsios or @Racer159 for more info
@Noxsios Noxsios added the tech-debt 💳 Debt that the team has charged and needs to repay label Dec 15, 2023
@Racer159 Racer159 added this to the The Bucket milestone Dec 18, 2023
@Racer159 Racer159 pinned this issue Dec 18, 2023
@Racer159 Racer159 unpinned this issue Dec 18, 2023
@Noxsios Noxsios mentioned this issue Dec 29, 2023
Merged
5 tasks
Racer159 added a commit that referenced this issue Jan 3, 2024
@Noxsios @Racer159
feat: reproducible tarballs for components + sboms (#2210)
9a97f83 
## Description

`archiver@v3` does not expose the functionality needed to create
tarballs with file headers containing only deterministic information. As
such, back to back package `create`s against the same data will result
in differences in SHAs of `components/*.tar` and `sboms.tar`.

To remedy this, tarballing up these directories manually is the only
current path forward in order to guarantee reproducibility.
`archiver@v4` contains such functionality, but is still in `alpha`.

## Related Issue

Fixes #2199 

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Signed-off-by: razzle <harry@razzle.cloud>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tech-debt 💳 Debt that the team has charged and needs to repay
Projects
None yet
Milestone
The Bucket
Development

Successfully merging a pull request may close this issue.

feat: reproducible tarballs for components + sboms zarf-dev/zarf
2 participants
@Racer159 @Noxsios