You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Lock default versions to specific image hashes, to make command upgrades explicit.
Why:
Last week all major official dockerhub images were updated and existing tags replaced. This has broken the --shell integration tests for several commands.
For example, golang:1.16 now uses alpine3.15, whereas before, it may have been 3.14 or even a different linux distro (it's not actually possible to know what was used before).
This reveals that specifying versions (or even tags) is not enough to guarantee reproducibility, i.e. dockerized may work well one day, and be broken another. Differences between systems may occur, depending on which image was present locally for a specific tag.
Functional requirements
Commands that are included with dockerized are locked to specific image digests
The .env file is still readable and intuitive, i.e. GO_VERSION=1.17.8 and not GO_VERSION=f837w389875t0438r
The versions are locked to the same digest for all users (so not determined upon first use, but included in the release)
A way for maintainers to upgrade the digest of a version
Technical implementation
Todo.
A lock file will probably make the most sense
Out of scope
These features can be considered for a future iteration:
Per user and per project locked versions.
Version locking of ad-hoch specified versions (e.g. dockerized go:1.16 will then lock go 1.16 to a particular digest, 'forever')
The text was updated successfully, but these errors were encountered:
Lock default versions to specific image hashes, to make command upgrades explicit.
Why:
Last week all major official dockerhub images were updated and existing tags replaced. This has broken the
--shellintegration tests for several commands.For example,
golang:1.16now usesalpine3.15, whereas before, it may have been3.14or even a different linux distro (it's not actually possible to know what was used before).This reveals that specifying versions (or even tags) is not enough to guarantee reproducibility, i.e. dockerized may work well one day, and be broken another. Differences between systems may occur, depending on which image was present locally for a specific tag.
Functional requirements
.envfile is still readable and intuitive, i.e.GO_VERSION=1.17.8and notGO_VERSION=f837w389875t0438rTechnical implementation
Todo.
Out of scope
These features can be considered for a future iteration:
dockerized go:1.16will then lock go 1.16 to a particular digest, 'forever')The text was updated successfully, but these errors were encountered: