Reproducing a container image would ideally be just a matter of setting SOURCE_DATE_EPOCH in your build commands or containerfiles. Like most reproducible builds though, that’s just one part of the story. And unfortunately, the other part is not the rest of the sources of non-determinism (and yes, there are quite a few). The most critical part of the story is guaranteeing that anyone can reproduce your container image bit-for-bit, regardless of the date, location, device architecture, or container runtime they are using. Who’s doing this though?

In this talk we’ll explain why one should care about reproducible images, why are we reproducibly building sha256:b0088ba0110c2acfe757eaf41967ac09fe16e96a8775b998577f86d90b3dbe53 for about a year now, and how you can easily leverage some of the stuff we learned along the way.