starred/project-pegaprox-PegaProx
1
0
Fork 0
mirror of https://github.com/PegaProx/project-pegaprox.git synced 2026-04-26 02:25:52 +03:00
Code Issues 19 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #34] Dockerfile uses unpinned latest tag and unspecified Python version #27

New issue
Closed
opened 2026-03-02 15:47:19 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 15:47:19 +03:00
Owner
Copy link

Originally created by @cinpol on GitHub (Feb 2, 2026).
Original GitHub issue: https://github.com/PegaProx/project-pegaprox/issues/34

The current Dockerfile has two best practice violations that could lead to unpredictable builds and potential breakage:

  • Using alpine:latest instead of a pinned version
  • No explicit Python version specified despite requiring Python 3.8+

Unpinned Alpine version

Using latest creates several issues:

  • Non-reproducible builds - different developers/CI runs may get different base images
  • Unpredictable breaking changes - new Alpine releases could introduce incompatibilities
  • Harder debugging - difficult to determine which Alpine version caused an issue
  • Security concerns - harder to track and audit what's actually running in production

Unspecified Python version

While the project requires Python 3.8+, the Dockerfile installs whatever python3 package comes with the Alpine version, which:

  • Could theoretically be below 3.8 with very old Alpine versions
  • Makes the Python version implicit and dependent on the Alpine version
  • Lacks clarity for developers about which Python version is actually used

Solution

Pin both the Alpine version and ensure a specific Python version:
FROM alpine:3.19 (or any other tag that support Python 3.8+)

Or use a Python-specific base image for even more clarity:
FROM python:3.11-alpine3.19

Happy to submit a PR if needed!

Originally created by @cinpol on GitHub (Feb 2, 2026). Original GitHub issue: https://github.com/PegaProx/project-pegaprox/issues/34 The current Dockerfile has two best practice violations that could lead to unpredictable builds and potential breakage: - Using `alpine:latest` instead of a pinned version - No explicit Python version specified despite requiring Python 3.8+ **Unpinned Alpine version** Using `latest` creates several issues: - Non-reproducible builds - different developers/CI runs may get different base images - Unpredictable breaking changes - new Alpine releases could introduce incompatibilities - Harder debugging - difficult to determine which Alpine version caused an issue - Security concerns - harder to track and audit what's actually running in production **Unspecified Python version** While the project requires Python 3.8+, the Dockerfile installs whatever python3 package comes with the Alpine version, which: - Could theoretically be below 3.8 with very old Alpine versions - Makes the Python version implicit and dependent on the Alpine version - Lacks clarity for developers about which Python version is actually used **Solution** Pin both the Alpine version and ensure a specific Python version: `FROM alpine:3.19` (or any other tag that support Python 3.8+) Or use a Python-specific base image for even more clarity: `FROM python:3.11-alpine3.19` Happy to submit a PR if needed!
kerem closed this issue 2026-03-02 15:47:20 +03:00
kerem commented 2026-03-02 15:47:20 +03:00
Author
Owner
Copy link

@mkellermann97 commented on GitHub (Feb 3, 2026):

Hi @cinpol ,

Thank you for noticing.
Feel free to submit here a PR.

Regards,
Marcus

<!-- gh-comment-id:3839207275 --> @mkellermann97 commented on GitHub (Feb 3, 2026): Hi @cinpol , Thank you for noticing. Feel free to submit here a PR. Regards, Marcus
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.9.7
v0.9.6.1
v0.9.6
v0.9.5
v0.9.4.1
v0.9.4
v0.9.3.1
v0.9.3
v0.9.2.2
v0.9.2.1
v0.9.2
v0.9.1.3
v0.9.1.2
v0.9.1.1
v0.9.1
v0.9.0.4
v0.9.0.3
v0.9.0.2
v0.9.0.1
v0.9.0
v0.6.6
v0.6.5
v0.6.4
v0.6.3
v0.6.2
v.0.6.1
v0.6.0
Labels
Clear labels   
Approved

   
Q2-3 2026 Development

   
bug

   
documentation

   
enhancement

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
Approved
Q2-3 2026 Development
bug
documentation
enhancement
help wanted
invalid
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/project-pegaprox-PegaProx#27
No description provided.