We have a CI process for publishing charts where we try to determine if pushed repository needs to have it's charts built and published. We would like to do this with a bitwise comparison of the generated tgz files. This works for charts without dependencies, but it is inconsistent for charts with dependencies.

For the setup (Using v2.8.1):

charts
├── child1
│   └── Chart.yaml
├── child2
│   └── Chart.yaml
├── child3
│   └── Chart.yaml
└── parent
    ├── Chart.yaml
    └── requirements.yaml

With charts:

# child{1..3}/Chart.yaml
name: child{1..3}
version: 1.0.0

# parent/Chart.yaml
name: parent
version: 1.0.0

# parent/requirements.yaml
dependencies:
- name: child1
  repository: file://../child1
  version: "*"
- name: child2
  repository: file://../child2
  version: "*"
- name: child3
  repository: file://../child3
  version: "*"

Running:

# working dir: parent
$ helm dep update
$ for i in {1..1000}; do helm package . && sha256sum parent-1.0.0.tgz && rm parent-1.0.0.tgz; done

produces several (3, after a significant number of iterations) different shas. The shas also appear to be non-uniformly distributed (e.g. 1 sha appears 70% of the time).

My guess is that https://github.com/kubernetes/helm/blob/master/pkg/chartutil/save.go#L160 is iterating over dependencies in a non-deterministic order, thus producing different tar files.