potiuk commented on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687675363
> You say binary in your argument while I am saying "the source is available" although not under ASF. The source being public should allow them to rebuild it, isn't it? That would be ok if only "official" images are used to build the image and sources and you can use those to rebuild it yourself. This is not valid for the astronomer pgbouncer image really because the image is not using "official image" + "sources". I looked in detail in that image a) astronomer's image uses jbub's pgbouncer-exporter image to build from. https://github.com/astronomer/ap-vendor/blob/main/pgbouncer-exporter/Dockerfile b) the jbub's image is built in an interesting way. It's a "shell" rather than image. It merely adds binary built OUTSIDE of the Dockerfile/image. The pgbouncer binary is not build "inside the Docker container" but it is just added to the image as binary from host. It's not built from sources (we do not know how it was built really). At the time of image creation, the binary could be completely different even if you used 'docker build .' See https://github.com/jbub/pgbouncer_exporter/blob/master/Dockerfile#L4 This means that does not matter if I am using Astronomerinc binary or sources, I have no idea where the binary comes from. I can only do it, and only know where it came from if I am using jbub sources. If I am a user - I have to trust astronomer that they verified and scanned the image or otherwise confirmed its origin. And since the licence of Astronomer's image is not giving me any guarantees about it, I cannot trust it. c) so in order to recreate the jbub's image from the sources you need to get the right golang version, know how to build the binary and only then add it to the image. This is precisely what my script does . it takes official base image, official go installation, sources of jbub and creates the image: https://github.com/apache/airflow/pull/10759. This is not what astronomer's image does. Even pointing to astronomer's image sources https://github.com/astronomer/ap-vendor/tree/main/pgbouncer-exporter does not help. If the user wants to rebuild the image following "official binary + sources" - they have to use jbub. This is precisely what the script I am adding is doing - by providing the script, I am just telling the user how to rebuild the image in the way that they can be sure where it came from. And that's why I think we should follow the same pattern. A script in our repo that takes official binaries and released sources is the best way to go. Would you agree with it? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
