
Preserve CI Build Integrity and Prevent Future Problems with Deterministic Builds - felicianotech
https://circleci.com/blog/preserve-build-integrity-prevent-problems-deterministic-builds/
======
tedmiston
I really like this idea, but I haven't seen anything from the docker side
(using DockerHub) to enforce image tags being deterministic. Having a
deterministic build doesn't get me all the way there if anyone can push over
my tag with a different build manually.

~~~
felicianotech
True. For "official" Docker Hub orgs, they typically have a tag policy. There
still needs to be som trust there in whether or not they'd follow that.

The only way to ensure you get what you started with is to use a digest. Every
Docker image has a digest and that's basically a UUID for that image. If they
push over the tag with another release, the new image will have a different
digest.

Using the image digest in your CircleCI config file (or wherever else) and
you'll always get that exact image.

