[compsciphd]

All these tools demonstrate a major flaw in OCI images. There is no good way to determine what image your current image was built on top of.

You can try to infer it from having a world wide list of chainIds and associate known images with their final chainId, but this isn't perfect and then just assume your image's changes are from last_known_chaid_id+1->end

1) many image tags can share a chainId (not terrible problem) 2) if for some reason you dont know of an image, but know of its parent, you will assume its "parent" is your base image, when its not.

I don't quite understand why OCI images don't contain a reference to the base image that they were created from (which can even be empty/no parents for from scratch images, including where multistage builds are down and everything gets copied into a from scratch image).

[bschaatsbergen]

That's, indeed, a spec limitation, not something cek can solve. If you're interested in provenance tracking, you might want to look at Sigstore's cosign attestations or GUAC (Graph for Understanding Artifact Composition).

[compsciphd]

right. this is me complaining about the spec, not the tools. I've worked on tooling in this space. I simply don't understand why there seems to be no desire to make a simple addition to the spec.