Conversation
| FROM registry.k8s.io/pause:3.10@sha256:ee6521f290b2168b6e0935a181d4cff9be1ac3f505666ef0e3c98fae8199917a | ||
|
|
||
| FROM ghcr.io/cybozu/ubuntu-minimal:${TAG_MINIMAL} | ||
| FROM ghcr.io/cybozu/ubuntu-minimal:${TAG_MINIMAL}@sha256:eb18868c75bbebaa11138382cd1dad8ac008a10cdecd4476da12c777b752498c |
There was a problem hiding this comment.
Typically, TAG_MINIMAL and its digest is changed at same time.
Wouldn't it be better to set both of them as ARG?
There was a problem hiding this comment.
The digest for ubuntu-minimal is referenced only once, while the TAG and its corresponding digest are used twice.
https://github.com/cybozu/ubuntu-base/blob/397bc54/24.04/ubuntu-debug/Dockerfile#L3
https://github.com/cybozu/ubuntu-base/blob/397bc54/24.04/ubuntu-dev/Dockerfile#L3
It's better to avoid this inconsistency.
There was a problem hiding this comment.
No. Your change declare digest as ARG, but same digest is used twice:
https://github.com/cybozu/ubuntu-base/pull/545/changes#diff-8fd999c90dc8fc10fa2e396c4740900c7b67ed2b02d4a61cecfe7ce61290c88bR2
https://github.com/cybozu/ubuntu-base/pull/545/changes#diff-5a85020e428b96fcf69a8c4c2eec70a964b894e65e64f5fe883c1b4ab43bba5cR2
It is better to provide digest externally when building the image.
3 participants
Overview
Hardened image builds by pinning base image digests and replacing same-source checksum verification with pinned checksums for downloaded artifacts.