Set rewrite-timestamp=true

[AkihiroSuda]

Part of:

• Reproducible builds official-images#16044

This exporter option rewrites the timestamps of the files inside image layers to use $SOURCE_DATE_EPOCH so as to increase reproducibility.

https://github.com/moby/buildkit/blob/v0.15.2/docs/build-repro.md#source_date_epoch

[tianon]

moby/buildkit#4576 (comment)

Regarding enabling rewrite-timestamp=true, are there any side effects? In other words, why is the behavior opt-in instead of opt-out or even just enabled by default and/or automatically enabled when an appropriate SOURCE_DATE_EPOCH is set? What are the downsides, and how do we communicate them to our users when they ask us about the metadata of the images we publish? (Which is a thing that's already surprised quite a few people in our images since we've started setting SOURCE_DATE_EPOCH and the timestamps on the metadata of layers of an image were no longer necessarily always linear, which is technically correct, but also surprising behavior, especially after ~10 years of that not being the way this works.)

You replied that it's incompatible with unpack=true - should I know what unpack is for? Having to enable this by default if it's generally sane, reasonable, and safe still feels really backwards/wrong and makes me question whether it really is generally sane, reasonable, and safe.

[AkihiroSuda]

unpack=true means unpacking image blobs as containerd snapshots.
I'll try to implement the support for unpack=true, but it does not relate to docker-library/meta-scripts.

[AkihiroSuda]

ping?

[AkihiroSuda]

Rebased

[thompson-shaun]

👋 @AkihiroSuda - For this PR specifically what are we seeing as the user benefit? Also, what is the risk to existing users? Are there downstream tools that would be angry?

The bigger context being in docker-library/official-images#16044 of course 😄

[AkihiroSuda]

For this PR specifically what are we seeing as the user benefit?

The benefit is the reduction of the diff across builds.
This will help evaluating the potential risk of supply chain attacks.

Note that this rewrite-timestamp=true PR only affects the timestamps, and does not affect the file contents.

For reproducing the file contents, the following Dockerfile PRs are still needed:

• Support reproducible builds (except packages) httpd#250
• Support reproducible builds (except packages) tianon/docker-bash#38
• Support reproducible builds (except packages) haproxy#229
• Support reproducible builds (except packages) memcached#96
• Support reproducible builds (except packages) ruby#455
• Support reproducible builds (except packages) golang#532
• Support reproducible builds (except packages) wordpress#915

No additional PR is needed for the following repos:

• https://github.com/docker-library/hello-world
• https://github.com/docker-library/docker
• https://github.com/docker-library/busybox
• https://github.com/distribution/distribution-library-image

Also, what is the risk to existing users?

A build may take an additional couple of minutes for rewriting the timestamps.

Are there downstream tools that would be angry?

https://github.com/reproducible-containers/diffoci is "angry" by default for timestamp differences, though it has --ignore-timestamps flag.