Use SOURCE_DATE_EPOCH to configure image create time #204
Conversation
Signed-off-by: Natalie Arellano <narellano@vmware.com>
natalieparellano
added
team/implementation
scope/team
|
Maintainers, As you review this RFC please queue up issues to be created using the following commands: Issues(none) |
natalieparellano
requested review from
ekcasey,
jabrown85,
sambhav and
jromero
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| - What parts of the design do you expect to be resolved before this gets merged? | ||
| * Should we require users to be on platform api 0.9 in order to use this feature? (Opinion: no, because this feature is invisible if the environment variable is not set. The motivation for spec'ing this in the platform api is to make it clear for platform operators how to use it.) |
There was a problem hiding this comment.
I agree - no need to be on newer platforms to use it.
There was a problem hiding this comment.
If we are not tying it to a specific platform API, I don't see why we should note this in the platform spec and not in our docs. It seems a weird that we are retroactively adding something to the past platform APIs but only documenting it for 0.9. I would be in favor of just documenting this in the lifecycle docs somewhere and implementing it in pack via a flag if we plan on introducing this for past platform APIs that have already been released as opposed to adding it to the platform spec.
There was a problem hiding this comment.
We follow something similar with our estargz support in lifecycle.
There was a problem hiding this comment.
I disagree that this shouldn't be part of the specification. As platform implementors, we rely on the API to know what parameters we can use especially when it has specific side effects on the outcome. estargz support is an accident and can't be documented as supported because of the similar.
Essentially platforms that don't get to select their lifecycle implementations but rely on what's on the builder go from saying "by doing X you get Y" to "by doing X you MAY get Y".
There was a problem hiding this comment.
To the original opinion regarding backward compatibility, nothing on the specification says a lifecycle implementation CAN'T support an arbitrary environment variable.
There was a problem hiding this comment.
Yes, but it very much violates the whole point of having a platform API. If we start introducing new features for older platform APIs, the platform is now dependent on a specific lifecycle version to support a specific feature rather than knowing the feature set it will have available given a platform API.
Say you are a platform implementing this feature in an older platform api and you set this environment variable. You as a platform will never know whether or not the lifecycle actually respected the variable and set an appropriate date for the image or not as the lifecycle has no such contract for older apis.
On the other hand if we explicitly implement this as part of a new platform api then there is an inherent contract that the platform can rely upon.
There was a problem hiding this comment.
Yes, I agree. That's the argument I have for moving forward and having it spec'd so it makes sense. I guess I personally care less for prior implementations because it's a lower risk probability. Specially if it's not the conventional env var but something prefixed with CNB_.
There was a problem hiding this comment.
the lifecycle has no such contract for older apis
Personally I think this is totally fine. The feature isn't mentioned in older platform apis, so it can't be relied upon. Use at your own risk.
There was a problem hiding this comment.
I think we should spec the feature b/c it's existence determines whether a platform like pack can provide a new feature (a flag to use the real creation time) to users.
the platform is now dependent on a specific lifecycle version to support a specific feature rather than knowing the feature set it will have available given a platform API.
Whatever decision we make here, I still think the platform API is the source of truth.
With my platform author hat on, I basically see the decision to support this in old APIs as irrelevant. I won't trust that I can use it in an old API, but also it doesn't hurt me. Maybe there are some edge cases where having it is helpful. E.g. I operate a very specific platform that uses a specific builder and I know my lifecycle version, maybe I go ahead and use this feature without checking the lifecycle version? But I am only tempted if I control the environment and know what I am doing.
That was a very long winded way of saying "whatever y'all can agree on is fine with me on this one".
There was a problem hiding this comment.
👍 on it being spec'd if we want it as part of the contract.
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| To allow for [build reproducibility](https://github.com/buildpacks/spec/blob/main/platform.md#build-reproducibility), images created by Cloud Native Buildpacks have a hard-coded create time of January 1, 1980. We have received requests from the community (see [here](https://github.com/buildpacks/pack/issues/1281) and [here](https://buildpacks.slack.com/archives/C94UJCNV6/p1643842965830459)) to allow for this value to be configurable. This RFC proposes making the value configurable by setting `SOURCE_DATE_EPOCH` in the lifecycle's execution environment during `export`. |
There was a problem hiding this comment.
I dislike that this environment variable doesn't align with the CNB_ prefix of all other environment variables. I get that it comes from a convention but I'm not sure that it justifies breaking away from our convention. Even ko has KO_DATA_DATE_EPOCH . What if we left SOURCE_DATE_EPOCH up to the platforms to decide support on but have CNB_DATE_EPOCH or something similar for the interface to the lifecycle?
There was a problem hiding this comment.
IIUC KO_DATA_DATE_EPOCH is used for a slightly different purpose: "used to set the modtime timestamp of the files in KO_DATA_PATH". However jib uses USE_CURRENT_TIMESTAMP to set image create time.
There was a problem hiding this comment.
What about an emoji vote?
🎉 CNB_SOURCE_DATE_EPOCH
❤️ SOURCE_DATE_EPOCH
There was a problem hiding this comment.
I left both emojis to start the poll, but I am in favor of SOURCE_DATE_EPOCH. I think that one "wins" unless others come forward.
| - Why should we do this? | ||
| Users have asked for it | ||
| - What use cases does it support? | ||
| A meaningful image create time, e.g., the ability to determine which images are most recent |
There was a problem hiding this comment.
Don't we have a slack thread that describes in detail a use case for the most recent image like pruning old images.
There was a problem hiding this comment.
| # How it Works | ||
| [how-it-works]: #how-it-works | ||
|
|
||
| This [PR](https://github.com/buildpacks/imgutil/pull/137) to imgutil would read the environment variable at the point of saving the image. An alternative implementation could be to have the `exporter` read the variable and provide it via a new `SetCreatedAt()` method on the `imgutil.Image` interface. The latter might be safer as it would avoid unintended side effects for other consumers of imgutil (e.g., `pack`). |
There was a problem hiding this comment.
The latter might be safer as it would avoid unintended side effects for other consumers of imgutil (e.g., pack).
As convenient as it would be to merge the existing PR, I tend to agree.
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| - What parts of the design do you expect to be resolved before this gets merged? | ||
| * Should we require users to be on platform api 0.9 in order to use this feature? (Opinion: no, because this feature is invisible if the environment variable is not set. The motivation for spec'ing this in the platform api is to make it clear for platform operators how to use it.) |
There was a problem hiding this comment.
I think we should spec the feature b/c it's existence determines whether a platform like pack can provide a new feature (a flag to use the real creation time) to users.
the platform is now dependent on a specific lifecycle version to support a specific feature rather than knowing the feature set it will have available given a platform API.
Whatever decision we make here, I still think the platform API is the source of truth.
With my platform author hat on, I basically see the decision to support this in old APIs as irrelevant. I won't trust that I can use it in an old API, but also it doesn't hurt me. Maybe there are some edge cases where having it is helpful. E.g. I operate a very specific platform that uses a specific builder and I know my lifecycle version, maybe I go ahead and use this feature without checking the lifecycle version? But I am only tempted if I control the environment and know what I am doing.
That was a very long winded way of saying "whatever y'all can agree on is fine with me on this one".
|
With 3/5 implementation maintainers in favor, I think this can be in FCP |
Signed-off-by: Natalie Arellano <narellano@vmware.com> Co-authored-by: Emily Casey <ecasey@vmware.com>
|
@natalieparellano I can do it. |
Readable