A hash at the front of a changelog entry indicates the hash of the container that first contained the change. There will only ever be multiple hashes in a single changelog if the underlying image was rebuilt to fix a security vulnerability.
The S3 Proxy Docker container follows normal Semver style versioning. A change in version of the Proxy means that some code change occurred within the image. However, in order to follow best practices and address possible security vulnerabilities within container's underlying image, we will also periodically update the base image of one or more tagged versions. This will cause the container hash to change, but the tag to remain the same.
The following policy governs version numbering. The primary goal of this policy is to communicate changes when they occur within the Proxy, quickly address and fix vulnerabilities in current/old versions, and to avoid hosting tagged, vulnerable images within our registry.
- Docker image tags WILL change if there are code changes within the image. This means that there are direct code
changes between versions
- Docker image tags WILL change if we move to a completely different underlying base image, i.e. from
slimor something similar.
- Docker image tags WILL NOT change if we just update the base image to fix a container vulnerability.
- Tagged Docker images will never be removed from our public registry,
with the exception of pre-release/beta tags (those in the form
- Untagged images with or without vulnerabilities will continue to live in GCR for some time period, but they may eventually be removed.