Checksum change for python:3.12.3-slim

Question

Checksum change for python:3.12.3-slim

stollero opened this issue 2 months ago · comments

Hello everyone,

we are using renovate to update our dockerfiles. The following update is suprising because I thought the tag is python:3.12.3-slim unmoveable. Is this a mistake? Does a changelog for these kinda updates exist?

- FROM python:3.12.3-slim@sha256:2be8daddbb82756f7d1f2c7ece706aadcb284bf6ab6d769ea695cc3ed6016743 AS base
+ FROM python:3.12.3-slim@sha256:afc139a0a640942491ec481ad8dda10f2c5b753f5c969393b12480155fe15a63 AS base

Thanks for your help.

Laurent Goderre · Answer 1 · Thu May 16 2024 21:33:46 GMT+0800 (China Standard Time)

Tags are not immutable by design. They get updated when the base image (Debian in this case) is updated. If you need an immutable image, you can refer to the digest (sha) of the image

Martin Stolle · Answer 2 · Thu May 16 2024 21:46:11 GMT+0800 (China Standard Time)

Thanks for the quick reply, good to know. From a security point of view, I use the sha to make sure that the image is the correct one. But, I also want to keep the image up-to-date with security updates.

What is a quick way to check that the slim update is legit and not some upload of a malicious actor?

Laurent Goderre · Answer 3 · Thu May 16 2024 22:18:14 GMT+0800 (China Standard Time)

@stollero we are doing a lot of work around signing images and have the content of those images signed as well (in the form of SBOM) so this should be much easier soon.

Martin Stolle · Answer 4 · Thu May 16 2024 22:29:48 GMT+0800 (China Standard Time)

Ok, validating the signature is the way to go. Thanks a lot 👍