Skip to content

Use docker "immutable identifier" instead of tag #2013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use docker "immutable identifier" instead of tag #2013

wants to merge 1 commit into from

Conversation

@Tonux599
Copy link
Contributor

@Tonux599 Tonux599 commented Oct 28, 2025

CircleCI and docker_repro.sh should use Docker's immutable identifier (sha256 digest of image) instead of tags.

Currently, using tags, the administrators of Docker Hub could be coerced into modifying tlaurion/heads-dev-env to produce malicious ROM's.

@tlaurion the safest way to ensure that CircleCI and local builds with docker_repro.sh are not tainted by a malicious images would be to use immutable identifiers instead of tags. Going forward, I would recommend you build your container locally, taking note of the sha256 digest, then pushing to docker hub before creating a signed commit replacing the checksums in .circleci/config.yml.

@tlaurion
Copy link
Collaborator

tlaurion commented Oct 28, 2025
edited
Loading

The idea was that docker image is supposed to be reproducible with the commit with which it was created. Trust but verify idea of reproducible builds here again.

I have no strong opposition to merge this as long as the instructions for maintainer follows in global README.md

@Tonux599
Copy link
Contributor Author

Tonux599 commented Oct 28, 2025

The idea was that docker image is supposed to be reproducible with the commit with which it was created. Trust but verify idea of reproducible builds here again.

That's good, but end users will probably skip building their own Docker image and would benefit from an immutable Docker image.

I have no strong opposition to merge this as long as the instructions for maintainer follows in global README.md

./docker_local_dev.sh and ./docker_latest.sh IMO can stay on the latest tag as generally the expectation would be resulting ROM's are not used in production. Whereas ./docker_repro.sh and CircleCI artefacts are expected to be used by end-users and (I believe) would benefit from the additional safety net of immutable Docker images.

@Tonux599 Tonux599 force-pushed the docker-immutable-identifier branch from 251e30d to 1642127 Compare November 1, 2025 20:25
@tlaurion
Copy link
Collaborator

tlaurion commented Nov 2, 2025
edited
Loading

To-do : document under README.md with copy paste related commands

  • "Going forward, I would recommend you build your container locally, taking note of the sha256 digest, then pushing to docker hub before creating a signed commit replacing the checksums in .circleci/config.yml."

So that next maintainer can reuse this knowledge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tonux599 @tlaurion