Open bkmartinjr opened 2 years ago
Thanks, Bruce. Agreed, we will start referencing Docker images with @sha256.
Thanks, Bruce. Agreed, we will start referencing Docker images with @sha256.
While using the sha256 digest will give you binary reproducibility, I'd argue that human readable versions are better for human understanding of what's going on (ie is sha256a before or after sha256b? Or on an alternate timeline/branch?) Of course, either is much, much better than :latest
which is completely unreproducible.
Various QC WDL such as
QC/tasks/quast.wdl
reference their docker image dependency using the:latest
tag. This causes an ambiguity on which image is required, as latest is an ambiguous tag (changes over time). This can cause a couple of issues:Recommend that all images be referenced in WDL by an unambiguous tag or their actual digest. That will create an unambiguous dependency.
CC @0seastar0 @tpesout