- Joined on Jul 09, 2020
I understand your hint to the trust problem. But providing an official binary is in no conflic with having the git source for users who do not trust enouth and want to build it on thair own. It is not very difficult to compare self build dockerimage is the same as one build by someone else as long as the underlying layers are the same. But you are totaly right if the underlying layers change for some reason you have to veryfy again even if there is no change in the source repo. Saying this I would argue it is the responsibility of the user to make the decision which way to go. It depents on the level of security and trust and on budget. I also basicly understand that you do not want to relay too much on US services. But as it is possible to self host the same thing there is no big lock-in effect to pay. If you think it is worth to host an own gitlabinstance or a build server and a docker registry like harbor this is also great. I would suport you on this as good as I can anyway. One question for in the meantime: I see there is now an entry in releases. As much I can see this is not related to any git tag, right? If I want to improve my pipeline to provide image tags for speciic releases should I rely on the date based release naming or the version number? Ok two questions: And if I should still use theverion number e.g. 3.2.0 what would you say is the easiestway to get it from the repo (what about using tags)? Ah and I totaly forgot to say realy great project, thanks for all the work! I have written about it in my german blog https://hub.xdit.de/channel/lobi-blog. Just had lost my contact lenses and so was unable to do anything on computers the last weeks.
1 year ago