Do we want to set apk deps to specific versions?

[martinkennelly]

During #328, I encountered the following static analysis output I wanted to correct but wanted community input:

Hadolint output:
Error: ./images/Dockerfile:18 DL3018 Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>

In our dockerfile we import:

RUN apk add --no-cache --virtual build-dependencies build-base linux-headers
....
RUN apk add --no-cache hwdata-pci

Pros for setting it to a specific version
We get a version we know that works - more deterministic.
Cons for settings it to a specific version
We need to update the version before its no longer available in the package managers repo or it will break our builds.

My feeling is we ignore it and let downstream worry about this.. but I defer to folks who have more experience with managing upstream projects.

[adrianchiris]

Raised this in today's meeting, there were no specific recommandations.

An additional downside of pinning the version is possibly having to deal with CVEs for these packages.

As an example:

1. CVE is discovered in package foo in version X which is pinned in our project.
2. Fix was introduced and a new package was built and release X+1
3. PR need to be submitted to manually update this package version in Dockerfile.

Not having a package fixed means we would have new features/fixes introduced to these packages as they are released.
(and possibly bugs as a downside).

I share the same feeling as martin on this for the moment.

[martinkennelly]

No issue here so. Closing.
Any objections, feel free to reopen.