Hadolint default config #3360

Jayllyz · 2024-02-08T20:58:16Z

Jayllyz
Feb 8, 2024

Hello, I was wondering why DL3018 is ignored by default and not DL3008 which looks quite similar to me.

Mar 21, 2024

Also, Alpine (re: 3018) doesn't retain long lists of old versions of packages while older versions of Debian packages tend to last much longer (re: 3008). As a result, there's much less of a chance of pulling in a problematic version of something via apk as opposed to apt.

I spent some time working through the idea of a tool to update package pins for Alpine packages:

How do you expect this to work? You pin packages to a specific version, then one of the packages is upgraded, and then your docker build fails and you have to update the pinned version to the one that is available.
Pinning / locking does not really work in the case of Alpine Linux where you just have a single version availa…

View full answer

llaville · 2024-02-09T04:55:14Z

llaville
Feb 9, 2024
Collaborator

@Jayllyz Your remark seems coherent

Perharps we should change default template => https://github.com/oxsecurity/megalinter/blob/main/TEMPLATES/.hadolint.yaml
/cc @nvuillam, @Kurt-von-Laven

3 replies

wesley-dean-flexion Mar 21, 2024

Also, Alpine (re: 3018) doesn't retain long lists of old versions of packages while older versions of Debian packages tend to last much longer (re: 3008). As a result, there's much less of a chance of pulling in a problematic version of something via apk as opposed to apt.

I spent some time working through the idea of a tool to update package pins for Alpine packages:

How do you expect this to work? You pin packages to a specific version, then one of the packages is upgraded, and then your docker build fails and you have to update the pinned version to the one that is available.
Pinning / locking does not really work in the case of Alpine Linux where you just have a single version available and old versions are no longer available. What I do is instead of pinning it to an exact patch version is to pin the package to a major version (git add foo~1), so that patch and even minor versions are installed, but you need to explicitly do something when a new major version is pushed. Hadolint accepts those kinds of pins.

conversation source

So, having 3018 ignored by default while 3008 is not makes sense to me.

Answer selected by nvuillam

wesley-dean-flexion Mar 21, 2024

I got around this by pinning only to major releases which satisfied hadolint while retaining much of the flexibility I want so as to not have to constantly update package pins:

RUN apk add --no-cache \
  bash=~5 \
  coreutils=~9 \
  curl=~8 \
  git=~2 \
  sed=~4 \
&& rm -rf /var/cache/apk/*

source

nvuillam Mar 26, 2024
Maintainer

@wesley-dean-flexion I'm convinced by your arguments :)

Anyway... default config files are often "permissive", so made to be overridden locally in repos :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hadolint default config #3360

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Hadolint default config #3360

Jayllyz Feb 8, 2024

Replies: 1 comment · 3 replies

llaville Feb 9, 2024 Collaborator

wesley-dean-flexion Mar 21, 2024

wesley-dean-flexion Mar 21, 2024

nvuillam Mar 26, 2024 Maintainer

Jayllyz
Feb 8, 2024

Replies: 1 comment 3 replies

llaville
Feb 9, 2024
Collaborator

nvuillam Mar 26, 2024
Maintainer