Welcome!
What did you expect to see?
Upon investigation the Dockerfile for building the official traefik docker images we stumbled upon this line of code
|
wget --quiet -O /tmp/traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v3.6.0/traefik_v3.6.0_linux_$arch.tar.gz"; \ |
to load the binary from the release archive.
I want to hint that best practice would like to see a checksum check afterwards to verify we indeed downloaded the file we expected and then proceed to make executable and ship to thousands of people ;) .
It would be great if the Dockerfile could include an additional line of code after the wget to perform a sha512sum check.
From the short look I had at the repository it seems that there is some workflow in place that updates the Dockerfiles for every new release. This workflow could then be extended to update the expected checksum in this new line of code.
Thanks for considering!
Welcome!
What did you expect to see?
Upon investigation the Dockerfile for building the official traefik docker images we stumbled upon this line of code
traefik-library-image/v3.6/alpine/Dockerfile
Line 14 in 9a3eca8
to load the binary from the release archive.
I want to hint that best practice would like to see a checksum check afterwards to verify we indeed downloaded the file we expected and then proceed to make executable and ship to thousands of people ;) .
It would be great if the Dockerfile could include an additional line of code after the
wgetto perform asha512sumcheck.From the short look I had at the repository it seems that there is some workflow in place that updates the Dockerfiles for every new release. This workflow could then be extended to update the expected checksum in this new line of code.
Thanks for considering!