Are snaps built with snapcraft deterministic?


#1

If I build a snap with Snapcraft on one computer and then build the snap again on another computer with the same snapcraft.yaml file should I get identical (same md5 or sha hash) .snap files?

I mostly wanted to know in the case of building with the core18 base, but I would also be interested to know how to make a Snapcraft build deterministic.


#2

The simple answer is not, snapcraft today is not setup for reproduceable builds, there are many factors for this, these come to mind without further thought:

  • use of build-packages and stage-packages which have the <release>-updates pockets enabled so if there is an update in between builds you will see a different result if any package from those lists changes.
  • file timestamps are not in sync between different environments.

Builds however are always executed in the same prescribed order and a manifest.yaml can be made part of the snap (default on build.snapcraft.io) to compare what made it into the package. From plugins that allow it, and stage-packages or build-packages, you can request specific versions and get a build failure if those items cannot be satisfied, but you will need to crawl the dependency chain a close approximation.