tianon
commented
3 years ago FWIW, when it's APT+GPG, we're usually more lax on this requirement because we can then safely MitM the download intentionally for download caching (and the GPG verification APT performs + explicit version pinning keeps us ~safe), but in this case this is totally reasonable because we likely don't rebulid the same MariaDB versions often enough to need a download cache (like we do for other really commonly installed packages from the base distributions :smile:).
Per requirement "using https where possible" https://github.com/docker-library/official-images#image-build