I have recently written about pinning Docker images
And I am starting to use this for my various repositories using Docker.
Now I have received a PR from Dependabot, which looks weird.
- PR: #257
It looks different than they normally at it came after another recent PR:
- PR: #249
The PR wants to bump my Docker base image for Python
# Python 3.13.5-slim-bookworm
FROM python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Bumps python from
f2fdaec
to5f69d22
.
If I pull the image from DockerHub and inspect it I do find the checksum I already know
docker pull python:3.13.5-slim-bookworm
docker inspect python:3.13.5-slim-bookworm |jq -r '.[] | .RepoDigests[]'
python@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Where:
f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
Resembles:
f2fdaec
But not:
5f69d22
I have deleted the local image and pulled it again with the exact same result.
If somebody knows how I should read this do let me know
Top comments (2)
This seems weird indeed. The problem, IMHO, is that people are "retagging" the
python:3.13.5
image, which is problematic. Thatlatest
gets retagged is sorta expected, that versions get retagged isn't. If it werepython:3.13
, without the patch level, I could also understand it better.Solution found, the unknown or rather unidentified SHA, was point to latest, with a little IA assistance I ended up with this:
Lifted from: