There doesn't seem to be a way to use the latest docker images (without the "v1" tag) #95
Comments
|
On a somewhat related note, once I unpin CFLite the "security posture" of systemd is going to get worse even more. it would be great if OSS-Fuzz/CIFuzz/CFLite can somehow affect the scorecard fuzzing check (which is totally bogus as this point: ossf/scorecard#1816 (comment)). |
The tags aren't exactly bogus. We're doing this in case we make breaking changes to the API in v2 |
I'm not happy about this situation either and i've complained to scorecards but it doesn't seem like they will budge. I agree I think pinning provides little security benefit, fuzzing (for C++) provides a big security benefit, so using CFLite without pinning makes a project more secure not less and that scorecards is wrong |
Agreed. After a lengthy discussion in #96 I switched to the tags. For that to fully work https://github.com/google/clusterfuzzlite/releases/tag/v1 would have to be bumped automatically though. (@oliverchang bumped it yesterday manually)
I have to admit I'm not even sure what |
As mentioned in google/oss-fuzz#7206 (comment) I'm planning to unpin CFLite but looking at the action it appears for some reason it uses tags to download the docker images:
Those tags are bogus in the sense that they keep rolling forward so I wonder if it's possible to remove them to make it clear that they always point to the latest images.
The idea is to always use the "main" branch and the latest images (by analogy with CIFuzz) and avoid getting bogus Dependabot updates when/if google/oss-fuzz#7212 is implemented
The text was updated successfully, but these errors were encountered: