Update Docker Hub Version of Caddy

[ejw9988]

Earlier this month Alpine Linux was updated from 3.8 to 3.8.1 for security fixes. Building the Caddy container from the Dockerfile will use the new version as expected. However, pulling the Caddy image from Docker Hub still pulls an image using 3.8.

Would it be possible to have the Docker Hub image updated to use the newer version of Alpine?

[abiosoft]

Yeah, sure. But it will only apply to :latest and not the tagged releases until the next version of Caddy is released.

[fungiboletus]

You could also rebuild and update the existing tags. I believe it's what Docker do on the official images.

[abiosoft]

Yes you can if you absolutely have to but ideally a tag should be a guarantee that it is not gonna change.

You could also rebuild and update the existing tags. I believe it's what Docker do on the official images.

[fungiboletus]

I understand the reason behind why you don't want to update a container behind a docker tag.

But not updating an image when the dependencies have security updates for months, because Caddy has no new release, is not the best security practice in my humble opinion.

I would expect an image with the same semantic versioning tag than the software packaged inside, to match the software tag on its Github or similar, but to have updated dependencies in its docker image for security.

If as an user I really want to make sure I will always use exactly the same docker image, I would tag it with another tag, like the semver and the current date, and push it to my private registry.

[abiosoft]

There is no 3.8.1 tag for Alpine, which means the current 3.8 tag has been updated. I have triggered new builds and the images should be using latest Alpine version any moment.

[teohhanhui]

There should be tags such as abiosoft/caddy:1.0. Refer to the official Docker images for a good example.

[abiosoft]

@teohhanhui https://hub.docker.com/r/abiosoft/caddy/tags

[teohhanhui]

@abiosoft I don't see a 1.0 tag.