Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerfile: fix golang image name to v1.18.2 #723

Merged
merged 1 commit into from
May 16, 2022

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented May 16, 2022

Missed by #715, I don't understand how it can work with the mismatching version/sha 🤷

@kaworu kaworu added the release-note/misc This PR makes changes that have no direct user impact. label May 16, 2022
@kaworu kaworu requested review from a team and joamaki and removed request for a team May 16, 2022 11:26
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@joamaki
Copy link

joamaki commented May 16, 2022

Looks like if you specify the sha256 it doesn't care about the tag anymore:

cilium % docker run -it --rm docker.io/library /golang:whatever@sha256:e6b729ae22a2f7b6afcc237f7b9da3a27151ecbdcd109f7ab63a42e52e750262 
/go #

@tklauser
Copy link
Member

Missed by #715, I don't understand how it can work with the mismatching version/sha shrug

If a sha is given, Docker only considers that one and ignores the tag. The tag can have any arbitrary value.

Copy link

@joamaki joamaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, the tag now matches with sha256:

cilium % docker run -it --rm docker.io/library/golang:1.18.2-alpine3.15                                                                                   
Unable to find image 'golang:1.18.2-alpine3.15' locally
1.18.2-alpine3.15: Pulling from library/golang
Digest: sha256:e6b729ae22a2f7b6afcc237f7b9da3a27151ecbdcd109f7ab63a42e52e750262
Status: Downloaded newer image for golang:1.18.2-alpine3.15

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 16, 2022
@tklauser tklauser merged commit 6a33379 into master May 16, 2022
@tklauser tklauser deleted the pr/kaworu/fix-docker-builder-image-version branch May 16, 2022 11:47
@kaworu
Copy link
Member Author

kaworu commented May 16, 2022

Oh I see I guess it make some sense since tags can be updated to point to another sha, which is the reason why we're pinning images in the first place.

But then if there is a "vulnerable" version golang:X@sha256:FOO and patched version golang:Y@sha256:BAR, it's possible to make someone think golang:Y@sha256:FOO is not vulnerable but it is (because I guess humans mostly look at the Y version rather than the sha)? Not ideal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants