Make Docker builds more reproducible #408
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Declare an internal_base that the other two images are made from. This ensures the build image and the force image use the same base image.
This makes image builds more reproducible and reduces the surface area for supply-chain attacks against FORCE. Refs davidfrantz#403
This improves the reproducibility of the image build. Refs davidfrantz#403
Owner
|
This doesn't make sense to me. The FORCE image should always be built on top of the latest base and UDF versions |
Contributor
Author
|
The moving target is what is causing the images of old FORCE releases to no longer be possible to build, and I don't see how to get reproducible builds with moving targets. |
Owner
|
I thought the goal was to provide the possibility to build a very specific image. This is now possible. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pin the base image by sha256 for security reasons, and the force-udf repository by tag. This fixes the two major reasons that images for old FORCE releases no longer builds.
Fixes #403