diff --git a/CHANGELOG.md b/CHANGELOG.md index 194d30b..904333d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or but enables you to chose which one you want to use, independently of your platform. ([#925](https://github.com/freedomofpress/dangerzone/issues/925)) +### Changed + +- The `debian` base image is now fetched by digest. As a result, your local + container storage will no longer show a tag for this dependency. + ## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0) - Update the container image diff --git a/Dockerfile b/Dockerfile index 8975a40..f459a42 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,9 @@ # Dockerfile args below. For more info about this file, read # docs/developer/reproducibility.md. -ARG DEBIAN_IMAGE_DATE=20250224 +ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE=20250217 ARG DEBIAN_ARCHIVE_DATE=20250226 @@ -185,8 +185,8 @@ RUN mkdir -p \ # Copy the /etc and /var directories under the new root directory. Also, # copy /etc/, /opt, and /usr to the Dangerzone image rootfs. # -# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS -# servers added there during image build time. +# NOTE: We also have to remove the resolv.conf file, in order to not leak any +# DNS servers added there during image build time. RUN cp -r /etc /var /new_root/ \ && rm /new_root/etc/resolv.conf RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \ diff --git a/Dockerfile.env b/Dockerfile.env index ac3fcd1..a229ae3 100644 --- a/Dockerfile.env +++ b/Dockerfile.env @@ -1,5 +1,8 @@ -# Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm- -DEBIAN_IMAGE_DATE=20250224 +# Should be the INDEX DIGEST from an image tagged `bookworm--slim`: +# https://hub.docker.com/_/debian/tags?name=bookworm- +# +# Tag for this digest: bookworm-20250224-slim +DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc # Can be bumped to today's date DEBIAN_ARCHIVE_DATE=20250226 # Can be bumped to the latest date in https://github.com/google/gvisor/tags diff --git a/Dockerfile.in b/Dockerfile.in index 050cd2a..bb8f8fc 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -2,9 +2,9 @@ # Dockerfile args below. For more info about this file, read # docs/developer/reproducibility.md. -ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}} +ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}} -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}} ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}} diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md index 934e5a6..947a5bc 100644 --- a/docs/developer/reproducibility.md +++ b/docs/developer/reproducibility.md @@ -27,7 +27,7 @@ This means that rebuilding the image without updating our Dockerfile will Here are the necessary variables that make up our image in the `Dockerfile.env` file: -* `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released +* `DEBIAN_IMAGE_DIGEST`: The index digest for the Debian container image * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin