Can't see dockerfile tab even for repositories which uses docker hub build system

[anschnapp]

Problem description

Can't see dockerfile tab even for repositories which uses docker hub build system.

I tried many repositories where i'm sure it worked in the past. I could only see the source repository there. (and it's unclear where the Dockerfile is located there (if any). There was one repo where I couldn't find any Dockerfile resource in the linked github repository)

On my own repositories where i use the docker hub build system (in combination with github), I could see the dockerfile tab when i click on "public view"...

... but if I open it in another browser session where i'm not logged in i don't see the dockerfile tab.

For easy validation of this issue, this is my own repo where I'm testing the view with an unsigned user: https://hub.docker.com/r/docker2snap/yaml2props

Without a dockerfile tab (and without being an official repo), it's impossible to trust an image IMHO. So, from my understanding this is crucial.

[binman-docker]

I'm not sure exactly what's going on with the UI and under what conditions a Dockerfile would be shown - but:

A Dockerfile being shown wouldn't tell you anything about the security of an image/tag anyway. The owner of a repository could push a tag over an existing tag even if it was built with a different Dockerfile and contained completely different content, since tags are not immutable.

I would recommend sticking to official images, verified publisher images, or building your own images from a supplied Dockerfile/repository you trust, depending on your security needs.

[serjkarneichyk]

You can see Dockerfile tab in the public repo view only if you are the owner of the namespace and have auto build enabled for that repo. You need to be logged in.

[anschnapp]

@binman-docker you are right that it would not give you 100% security if you could see the dockerfile which was used for a tag inside of docker hub.

But it would give some trust, about how the project is normally build together. In addition, if I only use the image locally, I could review the Dockerfile on docker hub which was used for recent build (or the dockerfile for the current uploaded tags)

Then I could pull the image and if i'm really want to be sure i could recheck the page if something changed (in the last minutes (many unoffical repos does not change in months))

@binman-docker wrote: or building your own images from a supplied Dockerfile/repository you trust Yes that's right but sometimes the dockerfile is hard to find inside of linkes repository of a dockerhub project. I had one case where it seems that no Dockerfile was in the linked repo at all. Using a Dockerfile which is exposed already on the docker hub page would be much easier and stable IMHO.

Also in the book "Docker in Action" the review of dockerfiles of unofficial repositories was mentioned as a best practice.

Only sticking on official images would not work for the majority of little open source projects out there. I think docker hub should be a platform everyone could share and contribute on.

Edited: You could also see the digest of each tag inside docker hub, so it would be possible to compare this with the downloaded image. (to be sure it's the same version you have reviewed there)

[github-actions[bot]]

We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days.

[anschnapp]

Please don't close this because of inactivity.

For my understanding this is still crucial.