Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement devcontainer-lock.json #244

Open
ggjulio opened this issue Jun 20, 2024 · 0 comments
Open

Implement devcontainer-lock.json #244

ggjulio opened this issue Jun 20, 2024 · 0 comments

Comments

@ggjulio
Copy link

ggjulio commented Jun 20, 2024

See the original spec : https://github.com/devcontainers/spec/blob/main/docs/specs/devcontainer-lockfile.md

Example repo : https://github.com/microsoft/vscode/blob/main/.devcontainer/devcontainer-lock.json


Goal

Introduce a lockfile that records the exact version, download information and checksums for each feature listed in the devcontainer.json.

This will allow for:

  • Improved reproducibility of image builds (installing "latest" of a tool will still have different outcomes as the tool publishes new releases).
  • Improved cachability of image builds (image cache checksums will remain stable when the lockfile pins a feature to a particular version).
  • Improved security by detecting when a feature's release artifact changes after its checksum was first recorded in the lockfile ("trust on first use").

Useful resources:

@ggjulio ggjulio changed the title Add `d]] Implement devcontainer-lock.json Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant