-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Pinned-Dependencies digest hashes don't make sense for multi-platform docker images #1773
Comments
Thanks for the issue! Can you use variables to do that? We accept That brings up a second question: how do you store the hashes in a place that dependabot/renovatebot will understand and update? There's also a template engine, but I've not looked into it much yet. Let's add this back to the doc once we've figured out the right solution |
cc @loosebazooka @lumjjb any thoughts? |
I don't see why multiplatform images can't be referenced by the hash of the manifest list? |
for example to obtain the manifest list digest
and we can see the contents are indeed a manifest list
|
@loosebazooka this does seem to work. It builds fine on my m1 mac. Thanks! |
I don't know if depandabot/renovate bot actually know how to keep these up to date though, be curious to see what happens |
Yea that should be fine since OCI objects are all hash referenced and verified. The person usually uploading the manifest would need the same permissions as whoever is uploading the manifest so shouldn't be an issue there - unless this changes in the future. |
Maybe I'm misunderstanding the original question: but was the question around dockerfiles rather than the resulting manifest? |
@laurentsimon Yes in the original question I was unsure how best to pin dependencies when using multi-platform images since I thought the digest hash was platform-specific. But as it turns out theres a digest hash which is not platform-specific, and using that works just fine for |
ah, I see. So there's a digest that contains all the other images. I'd like to add this to the documentation of our check for the remediation part. Mind drafting a sentence or 2 that we could add in our doc for other users to benefit from? You can send a PR or just paste it here if you prefer. |
can you link to the docs? |
this is the file to update https://github.com/ossf/scorecard/blob/main/docs/checks/internal/checks.yaml |
@loosebazooka still interested in tweaking the doc? |
I forgot about this. I'll take a look tomorrow if no one else is interested. |
Is your feature request related to a problem? Please describe.
Dockerfiles allow you to pin the
FROM
using a digest hash:This digest is however platform specific:
Therefore any project which wants to release or use multi-platform docker images can't use the digest in the
FROM
and they're going to get dinged by scorecard.With the release of M1 macs and ARM cloud servers this is becoming an increasingly common problem.
Describe the solution you'd like
Is there another way of pinning the digest that could solve this problem for multi-platform images? Perhaps we can update https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies to note that?
Describe alternatives you've considered
I guess just living with the lower score.
The text was updated successfully, but these errors were encountered: