On Tue, Feb 5, 2019 at 2:48 PM Dave <[email protected]> wrote:
> I totally agree with you that Docker images should be built from official
> source releases, unless they are clearly marked as unofficial SNAPSHOT
> releases and intended for testing. I'm just repeating what I've heard over
> and over again from various ASF members that the only official release is
> the source release; I'd don't agree with that point of view.
>
> I'm curious what "built from the official source releases". Does that mean
> that you must create Docker images by downloading the official source
> release, verifying it's hash and then building image? Or, are you allowed
> to build your Docker images from the same SCM tag as was used to create the
> source release?
>
I think an acceptable solution could be:
* make sure that your :latest tag either points to a Docker scratch
container
or a container that simply prints Incubator disclaimer and exists
* introduce a tagging scheme for nightly builds (personally I'm quite
fond
of tagging nightly docker builds with SHAs from your git tree from
which
you build the image)
* introduce :snapshot tag that points at the latest tag from previous
item
I feel that this could be passable for IPMC.
Thanks,
Roman.
