PR: #55 (feat/27-docker-compose)
Files: Dockerfile lines 7, 30
Both base images use mutable floating tags:
FROM rust:1-slim AS builder
FROM debian:bookworm-slim AS runtime
rust:1-slim and debian:bookworm-slim resolve to whatever the Docker Hub maintainer last pushed under that tag. A rebuild next week may pull a different libc, a patched OpenSSL, or an unvetted layer. On a production host running a key-holding process this is a supply-chain risk: a silent libc or OpenSSL ABI change can cause crashes, subtler behavioral regressions, or newly introduced CVEs with no diff visible in the repository.
Impact: Non-reproducible builds. A rebuild after a base image update can introduce regressions or ABI-breaking changes in libssl3 that affect TLS handshake behavior on BSC WS RPC connections. The charon binary will compile and run but may behave incorrectly under the new base without any indication.
Suggested fix:
Pin both images to their current digest at time of review:
FROM rust:1-slim@sha256:<current-digest> AS builder
FROM debian:bookworm-slim@sha256:<current-digest> AS runtime
Retrieve digests with:
docker pull rust:1-slim && docker inspect rust:1-slim --format '{{index .RepoDigests 0}}'
docker pull debian:bookworm-slim && docker inspect debian:bookworm-slim --format '{{index .RepoDigests 0}}'
Digest-pinned images can still carry a human-readable tag alongside for readability. Update digests deliberately on each dependency-bump PR so changes are visible in git history.
Refs #55
PR: #55 (feat/27-docker-compose)
Files: Dockerfile lines 7, 30
Both base images use mutable floating tags:
rust:1-slimanddebian:bookworm-slimresolve to whatever the Docker Hub maintainer last pushed under that tag. A rebuild next week may pull a different libc, a patched OpenSSL, or an unvetted layer. On a production host running a key-holding process this is a supply-chain risk: a silent libc or OpenSSL ABI change can cause crashes, subtler behavioral regressions, or newly introduced CVEs with no diff visible in the repository.Impact: Non-reproducible builds. A rebuild after a base image update can introduce regressions or ABI-breaking changes in libssl3 that affect TLS handshake behavior on BSC WS RPC connections. The charon binary will compile and run but may behave incorrectly under the new base without any indication.
Suggested fix:
Pin both images to their current digest at time of review:
Retrieve digests with:
Digest-pinned images can still carry a human-readable tag alongside for readability. Update digests deliberately on each dependency-bump PR so changes are visible in git history.
Refs #55