mosquitto docker image / multiple digest changes in past 3 days / suspicious?

eclipse-mosquitto / mosquitto

Eclipse Mosquitto - An open source MQTT broker

https://mosquitto.org

Other

9.13k stars 2.41k forks source link

mosquitto docker image / multiple digest changes in past 3 days / suspicious? #3087

Closed reefland closed 1 month ago

reefland commented 4 months ago

I have my mosquitto image with SHA pinned at:

docker.io/library/eclipse-mosquitto:2.0.18@sha256:c1322c707de51ee034b9fe2204975d8fd716ed6b8a5a39a3dffe53ec024dc30d

Over the past 3 days RenovateBot reported many digest updates for this version which does not seem like typical activity for this image. It seems suspicious to me. Something going on??

Daedaluz commented 4 months ago

Does this help? Issue #2484

reefland commented 4 months ago

Sort of... if there is a known cause it explains why a one off digest with no changes happens, such as in 2022 it referenced the "defunct gpg keyserver".

It's not just mosquitto, it seems all the docker.io images I have references to had new digests issued without version changes. None of them had as many as mosquitto which made it stand out.

Thanks.

Daedaluz commented 4 months ago

I assume you mean "no changes" as in there is no release notes or any "change notes". I do not know if these notes exists anywhere specifying exactly why an images is rebuilt, but i do know all library images are actively rebuilt to keep the base up to date and include eventual security fixes, even those not directly related to mosquitto itself.

Daedaluz commented 1 month ago

Can we close this?