Dockerfile is not reproducible
Using an unversioned 3rd party image as the base for this container makes the resulting container image dependent on what the upstream 3rd party put in the latest version of their container.
FROM continuumio/miniconda3
The OSSR should publish a policy for creating reproducible containers.
-
The FROM statement should include the full registry URL
FROM docker.io/continuumio/miniconda3 -
The FROM statement should reference a specific version of the base container
FROM docker.io/continuumio/miniconda3:4.10.3p0 -
The FROM statement should reference base container in a repository maintained by an EU funded provider, not a commercial organization
Should the OSSR maintain a registry of base container images for participants to use ?