Feature request - Alpine Linux version in Docker image tag

[rokf]

Hi 🙂

We (my team at work) were wondering if the Alpine Linux images could get additional tags where the used Alpine Linux version would be part of the tag? Like 1.21.6-alpine-3.15.4 for example.

We'd appreciate this because it'd be easier to track CVE. Docker image pulling would also be more predictable - we'd know ahead which Alpine Linux version we can expect.

[yosifkit]

Just a note that as part of the official images, the images are rebuilt any time the base image is updated. For example, the images with FROM alpine:3.15 will be rebuilt on every 3.15.x release or any other time the alpine:3.15 image is updated. If the FROM was changed to a specific release of Alpine 3.15, like 3.15.4, then there would be manual work here and then a PR to https://github.com/docker-library/official-images to get an updated image.

I don't mind if the image tags have the Alpine version in them like golang does, but that is up to Nginx maintainers.

[thresheek]

Having a major.minor (e.g. nginx:1.21.6-alpine3.15) appended to the aliases is doable, but I'm not too sure it would be helpful in this exact case?

[rokf]

That won't be enough 🙂

[thresheek]

And I don't think it would be easier to track CVEs either - in any case the security team would need to ask package manager for exact versions of software shipped so they could identify if a patch to fix an issue was applied or not.

[tzimmermann]

Just a note that as part of the official images, the images are rebuilt any time the base image is updated. For example, the images with FROM alpine:3.15 will be rebuilt on every 3.15.x release or any other time the alpine:3.15 image is updated.

Maybe I am misunderstanding this, but just recently, alpine 3.16.1 was released.
As I understand your message, alpine:3.16 has been updated to alpine:3.16.1 and we should get an updated nginx:1.23.0-alpine automatically, based on the new version?
That does not seem to be the case, 1.23.0-alpine is still three weeks old, it seems.

[thresheek]

hi @tzimmermann - your understanding is correct, and I think the updated images were just (20 minutes ago actually!) pushed to the docker hub.

[MattIPv4]

👋 I would just like to note my +1 for including major.minor in tags as aliases (so nginx:1.22.0-alpine3.16 would be an alias for nginx:1.22.0-alpine) -- it'd be rather helpful in avoiding accidental updates of Alpine in our images :)

This seems to be a reasonably common thing to do (Node.js, Golang)

[thresheek]

Thanks @MattIPv4.

I think it's also beneficial to add a version of Debian used in the tags for the same reason.

[thresheek]

Feel free to comment on the PR that implements major.minor for Alpine tags: #754