[LOW] Unpinned Rust Version in Dockerfile - Build Reproducibility Issue #249
Description
Bug description
The Dockerfile uses an unpinned Rust version (e.g., rust:latest or rust:1.70), which can lead to non-reproducible builds. Different Rust versions may introduce breaking changes, new lints, or subtle behavioral differences that could affect the KMS compilation or runtime behavior.
Severity: LOW
Location: Dockerfile
To Reproduce
- Check the Dockerfile base image
- Look for version specification in
FROM rust:X.Yline - Notice it likely uses a major.minor version without patch version
- Subsequent builds may pull different patch versions with different behaviors
Expected behavior
The Dockerfile should pin the exact Rust version including the patch number for reproducible builds.
Recommended fix:
# BEFORE (non-reproducible):
FROM rust:1.70
# AFTER (reproducible):
FROM rust:1.70.0
# Even better - use SHA256 digest:
FROM rust:1.70.0@sha256:abc123...Suggested Fix
Best practices for version pinning:
-
Pin exact versions:
FROM rust:1.70.0 # Not rust:1.70 or rust:latest -
Use digest pinning for maximum reproducibility:
FROM rust:1.70.0@sha256:1234567890abcdef... -
Document update policy:
# Rust version: 1.70.0 # Last updated: 2024-01-15 # Update policy: Review monthly for security patches FROM rust:1.70.0
-
Automate version updates with Dependabot:
# .github/dependabot.yml version: 2 updates: - package-ecosystem: "docker" directory: "/" schedule: interval: "weekly"
Additional Context
Benefits of version pinning:
- ✅ Reproducible builds across different environments
- ✅ Prevents unexpected breakage from Rust updates
- ✅ Easier to track which version is in production
- ✅ Controlled upgrade process
References:
-
Would you like to work on a fix? [y/n] Yes