10:50
-
11:10
-
11:10
Day 1
Who’s reproducing the reproducible images?
<p>Reproducing a container image would ideally be just a matter of setting <code>SOURCE_DATE_EPOCH</code> in your build commands or containerfiles. Like most reproducible builds though, that’s just one part of the story. And unfortunately, the other part is <em>not</em> the rest of the sources of non-determinism (and yes, there are quite a few). The most critical part of the story is <em>guaranteeing</em> that anyone can reproduce your container image <em>bit-for-bit</em>, regardless of the date, location, device architecture, or container runtime they are using. Who’s doing this though?</p>
<p>In this talk we’ll explain why one should care about reproducible images, why are we reproducibly building <code>sha256:b0088ba0110c2acfe757eaf41967ac09fe16e96a8775b998577f86d90b3dbe53</code> for about a year now, and how you can easily leverage some of the stuff we learned along the way.</p>