There is a security trend called reproducible builds, which aims for having a way to create bit-exact copies of output binaries so that the user can verify whether the version found on the internet is trustworthy. Is there a similar movement and tooling across Docker community? The way I understand it, even with version pinning in containerized Linux distributions, timestamps would make this problematic. Is there a way to solve this problem and create a readable Dockerfile that doesn't build from scratch that would describe dependencies deterministically and in a future-proof way?
Asked
Active
Viewed 243 times
4
-
2did you find the answer? google jib, bazel docker rules, and buildpacks all solve that by using zero timestamp (epoch). However I didn't find a way to do it with docker. – somdoron Jun 11 '20 at 19:48