| ▲ | paulddraper 9 hours ago | |
This is smart. Container layers are so large that moving them around is heavy. So defer that part for the non-hermetic push/load parts of the process, while retaining heremticity/reproducibility. You can sort of think of it like the IO monad in Haskell…defer it all until the impure end. | ||
| ▲ | __turbobrew__ an hour ago | parent [-] | |
Is load not hermetic? Ideally you should be mirroring all layers you use as inputs to your OCI builds and pin SHA256 versions. Your caching will also have issues if you don’t pin versions. Push should also be idempotent, but not hermetic. | ||