search

mlocati / docker-php-extension-installer

Easily install PHP extensions in Docker containers
MIT License
4.18k stars 378 forks source link

Readme suggesting to pull /latest from remotes instead of version pinning #919

Closed luigimannoni closed 4 months ago

luigimannoni commented 4 months ago

Yes, that's probably overthinking and slightly paranoid - I know it's up for the devs to make necessary adjustments but in the era of AI pulling down information from readmes and copy and pastes probably it's worth thinking about it.

I never felt a particular sympathy on pulling down the latest version of any package. Main reason being that images on local and on remote may differ: I'd be developing on an old image of 3/4 months while on deploy it might download a new version of the package with its new deprecations/incongruences.

Secondly, after the xz backdoor drama, it might be safer to run a specific and community battle-tested version.

So, on the readme we have these examples:

FROM php:7.2-cli

ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/

RUN install-php-extensions gd xdebug

Can they follow the same way other oss binaries provide examples, eg for the composer dockerfile they use version pinning as such:

ENV COMPOSER_VERSION 2.7.4
RUN php /tmp/installer.php \
    --no-ansi \
    --install-dir=/usr/bin \
    --filename=composer \
    --version=${COMPOSER_VERSION}

Funnily enough, on their same dockerfile they also install this binary with signature checking:

RUN set -eux ; \
  # install https://github.com/mlocati/docker-php-extension-installer
  curl \
    --silent \
    --fail \
    --location \
    --retry 3 \
    --output /usr/local/bin/install-php-extensions \
    --url https://github.com/mlocati/docker-php-extension-installer/releases/download/1.2.58/install-php-extensions \
  ; \
  echo 182011b3dca5544a70fdeb587af44ed1760aa9a2ed37d787d0f280a99f92b008e638c37762360cd85583830a097665547849cb2293c4a0ee32c2a36ef7a349e2 /usr/local/bin/install-php-extensions | sha512sum --strict --check

So can we suggest people on the readme to run the following, and potentially also provide signatures to check against:

FROM php:7.2-cli

ENV PHP_EXTENSION_INSTALLER_VERSION 2.2.14

ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/${PHP_EXTENSION_INSTALLER_VERSION}/install-php-extensions /usr/local/bin/

RUN install-php-extensions gd xdebug

Thoughts?

mlocati commented 4 months ago

it might be safer to run a specific and community battle-tested version.

This project has a very quick release cycle, so there's isn't a "battle-tested version" (would you consider battle-tested a version published 2 days ago whereas a newer one has been published yesterday?).

Anyway, back to the actual question: using the very latest version or a fixed version? I think there is no one-size-fits-all answer: anyone can adopt the approach they want.

mlocati commented 4 months ago

In any case, this is more a question/comment than a bug, so it'd be better to use discussions for it.

luigimannoni commented 4 months ago

Sure, thanks for the feedback - I'll move the ticket on a discussions thread.