Skip to content

Commit 3da3f8d

Browse files
drupoldrupol
committed
chapter 3: add details about apk and package versions
1 parent 5cba287 commit 3da3f8d

File tree

1 file changed

+17
-10
lines changed

1 file changed

+17
-10
lines changed

src/thesis/3-tools.typ

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -462,17 +462,24 @@ been pinned to a specific commit at lines 1 and 7.
462462

463463
For example, specifying `FROM alpine:3.19.1` in a `Dockerfile` instead of
464464
`FROM alpine` ensures that the Alpine 3.19.1 version is always used, providing
465-
stability. This mechanism applies similarly across different programming
465+
stability. Additionally, to minimize the risk of variation, the `build-base`
466+
package used in the `Dockerfile` (@ch3-dockerfile) is pinned to version
467+
`0.5-r3`. This mechanism applies similarly across different programming
466468
language ecosystems. However, it is important to note that version tags, like
467-
`3.19.1`, can be replaced or updated by the maintainers, potentially altering
468-
the contents associated with a #emph[pinned] version.
469-
470-
To overcome this, the use of digests or checksums (@checksum) can anchor
471-
images to a specific snapshot, offering a stronger guarantee of immutability.
472-
For instance, specifying
473-
`FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b`
474-
as shown in @ch3-dockerfile ensures that exactly the same image is used
475-
consistently, regardless of any updates.
469+
`3.19.1` or `0.5-r3`, can be replaced or updated by the maintainers, without
470+
users' awareness, potentially altering the contents of a "pinned" version and
471+
impacting reproducibility.
472+
473+
To mitigate this issue, using digests can ensure images are anchored to a
474+
specific snapshot, offering a stronger guarantee of immutability. For
475+
instance, specifying `FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b`,
476+
as shown in @ch3-dockerfile, ensures that the exact same image is used
477+
consistently, regardless of any upstream updates. While using a digest to pin
478+
the base image ensures immutability, the `apk` package manager does not
479+
support a similar mechanism, only tags are supported. It's important to be
480+
aware of the limitations of the tools (e.g., the `apk` package manager) used
481+
in the base image, as even with precautions, variability in the build process
482+
may still be introduced.
476483
]
477484

478485
Docker's containerization technology offers a way to create consistent software

0 commit comments

Comments
 (0)