Readme suggesting to pull /latest from remotes instead of version pinning

Question

Readme suggesting to pull /latest from remotes instead of version pinning

Closed this issue 6 months ago · 3 comments

Yes, that's probably overthinking and slightly paranoid - I know it's up for the devs to make necessary adjustments but in the era of AI pulling down information from readmes and copy and pastes probably it's worth thinking about it.

I never felt a particular sympathy on pulling down the latest version of any package.
Main reason being that images on local and on remote may differ: I'd be developing on an old image of 3/4 months while on deploy it might download a new version of the package with its new deprecations/incongruences.

Secondly, after the xz backdoor drama, it might be safer to run a specific and community battle-tested version.

So, on the readme we have these examples:

FROM php:7.2-cli

ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/

RUN install-php-extensions gd xdebug

Can they follow the same way other oss binaries provide examples, eg for the composer dockerfile they use version pinning as such:

ENV COMPOSER_VERSION 2.7.4
RUN php /tmp/installer.php \
    --no-ansi \
    --install-dir=/usr/bin \
    --filename=composer \
    --version=${COMPOSER_VERSION}

Funnily enough, on their same dockerfile they also install this binary with signature checking:

RUN set -eux ; \
  # install https://github.com/mlocati/docker-php-extension-installer
  curl \
    --silent \
    --fail \
    --location \
    --retry 3 \
    --output /usr/local/bin/install-php-extensions \
    --url https://github.com/mlocati/docker-php-extension-installer/releases/download/1.2.58/install-php-extensions \
  ; \
  echo 182011b3dca5544a70fdeb587af44ed1760aa9a2ed37d787d0f280a99f92b008e638c37762360cd85583830a097665547849cb2293c4a0ee32c2a36ef7a349e2 /usr/local/bin/install-php-extensions | sha512sum --strict --check

So can we suggest people on the readme to run the following, and potentially also provide signatures to check against:

FROM php:7.2-cli

ENV PHP_EXTENSION_INSTALLER_VERSION 2.2.14

ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/${PHP_EXTENSION_INSTALLER_VERSION}/install-php-extensions /usr/local/bin/

RUN install-php-extensions gd xdebug

Thoughts?

Answer 1 · 2024-05-02T07:27:08.000Z

it might be safer to run a specific and community battle-tested version.

This project has a very quick release cycle, so there's isn't a "battle-tested version" (would you consider battle-tested a version published 2 days ago whereas a newer one has been published yesterday?).

Anyway, back to the actual question: using the very latest version or a fixed version? I think there is no one-size-fits-all answer: anyone can adopt the approach they want.

Answer 2 · 2024-05-02T13:20:52.000Z

In any case, this is more a question/comment than a bug, so it'd be better to use discussions for it.

Answer 3 · 2024-05-03T18:24:47.000Z

Sure, thanks for the feedback - I'll move the ticket on a discussions thread.