Improve Docker FROM image versioning by avoiding :latest tags #1242
Description
Summary
Currently, our Dockerfiles use :latest tags for base images, which can lead to non-reproducible builds and potential issues when base images are updated.
Problem
- Using
:latesttags means builds are not reproducible - Registry.access.redhat.com tags are floating and can get repushed when base images are respun
- This affects build stability and predictability
Examples from current codebase
From jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda:
FROM registry.access.redhat.com/ubi9/go-toolset:latest AS mongocli-builder
FROM registry.access.redhat.com/ubi9/python-312:latest AS baseProposed Solution
Replace :latest tags with either:
- More precise version tags (e.g.,
1.X.Y) - SHA256 digests for maximum reproducibility
Automation Considerations
This improvement is similar to issue #1241 in that it increases maintenance overhead to track upstream changes and keep everything up to date. Tools like Dependabot, Renovate, or Mintmaker (in Konflux) can help automate this process.
Acceptance Criteria
- Audit all Dockerfile FROM statements using
:latesttags - Replace with pinned versions or SHA256 digests
- Document the versioning strategy
- Consider automation tools for ongoing maintenance
Related Issues
- Security: Add checksum verification for downloaded binaries in Python 3.12 images #1241 - Similar maintenance considerations for security improvements
Context
Identified during PR review of #1151 - discussion: #1151 (comment)
Requester: @jiridanek