Maybe we should aggregate this with the full list of packages at the time of build, this seems better than recording the hash of the image used and can lead to an eventual reproduceable build.
I do think it is useful to know what version of libboost you installed which would have generated a different list of binaries, so yes it maybe different but would allow for CVE tracking; that said, the aggregation of packages installed at build time could bring in the full picture.
That said, these things you mention are sort of the reason I haven’t pushed for this harder, my mind is not set entirely on it.
I would like to have some insight on how this is being done currently for the core snap (not necessarily by you) to get some pointers. We are also waiting on some comments from the security for this. I might try and nudge them for some comments.
Also, there are two things that get conflated here, recording what was used to build in order to analyze and another in order to reproduce a build. I am much more interested in the former with a design that can potentially lead us to the latter but the latter is not the focus here.