FROM fixed centos:7.5.1804 or just centos:7 ?

[vorburger]

@rhuss while looking more closely at #165 than I had before (because of #171), I was just wondering why you chose FROM centos:7.5.1804 (fixed version from that month) instead of just using centos:7 ? Shall we change this?

[rhuss]

I think we can change it for master, but for an own release (with a tag), I really would like to pin it so that a respin of the release produces the same image (and least for the base image).

There might be different spots which hinder such a reproducible build (like unpinned package updates). We should at least document then our release process, i.e. that the version should be pinned before doing a release and maybe relax afterwards.

But at the end, maybe just stay with a pinned version and update it when doing a new release ?

[vorburger]

OK sure let's keep it as-is then, I can see and agree with the stability point, no worries.

Do we already have a RELEASE.md doc describing who we release this?

Let's just add a section to bump the centos base image to latest in doc.

[rhuss]

no, we don't have one as well as we don't have a CHANGELOG.md. Both would be a good idea to have.

[jsbillings]

@vorburger suggested I chime in here, since he was asking in the #centos IRC channel.

Pinning your centos version in the FROM section of a Dockerfile, then running 'yum install ...' isn't going to get you packages from anything except the latest release of CentOS, so you might as well use FROM centos:7. There are not separate yum repositories for 7.5.1804 than 7.6.1810, so all you are doing is forcing your container to have an out-of-date image that most likely will pull in more packages when you use 'yum install'. It won't make your build any more reproducible.

[vorburger]

@rhuss #206 has a longer write up about what I learnt about this kind of stuff today.

I really would like to pin it so that a respin of the release produces the same image (and least for the base image). There might be different spots which hinder such a reproducible build (like unpinned package updates).

My understanding, based on what I learnt on #centos today (see https://gist.github.com/vorburger/ea367a76f69aafb8260c62f6bedf2788 and summary in #206) is that this is futile and won't really work anyway, because, at least when there are events like today's release of the CentOS 7.6 image, and on future updates, there apparently basically no longer really is e.g. a 7.5 and its RPM packages, anyway (unless we want to get really creative and do serious gymnastics involving vault.centos.org).

I'm therefore going to change the FROM now, and also make it do a yum update (which is NOT the cause of the underlying problem; that's just a good idea while we are at cleaning this sort of thing up now).

[vorburger]

Do we already have a RELEASE.md doc describing who we release this?
no, we don't have one as well as we don't have a CHANGELOG.md. Both would be a good idea to have.

I'll do that in #208.