build a distroless base image to be used for bom based on apko and melange #137
Comments
developer-guy
added
kind/feature
|
This might help us 👇 cc: @jdolitsky @puerco |
|
If we could enumerate the packages that Does |
|
melange would be required to get |
|
I thought the plan was to make a base image that contained all the things You could also use melange to build |
Didn't see any mention of ko, but that would work too 😄 In fact, that would add the benefit of surfacing an SBOM from this package (no way to do this in melange currently). |
|
Similar issues: google/go-containerregistry#1356 Once we complete it on the ko project side, maybe, later on, we can do the same one here. |
|
I've created PR to create a base image to be used for debugging purposes in ko, and we can achieve the same one in bom tool as well: |
|
if it looks legitimate, I can do the same one for the bom tool. |
|
kindly ping @cpanato @saschagrunert |
|
I don't think we require git and go as runtime dependency for bom (this is worth a second look). |
|
no it does not need afaik |
|
Unfortunately, the problem still exists, to reproduce the same issue here1:
Footnotes |
|
Does |
yep, this is why we set the current base image of the bom project as ghcr.io/chainguard-images/go:latest here. |
|
kindly ping folx 👋 |
|
kindly ping folx ☝️ I did a similar issue on the ko project side. |
|
Do we have any volunteer from @kubernetes-sigs/release-engineering who can provide us an overview how the Edit: |
|
not git, bom requires go executable ☝️ @saschagrunert |
|
Ah, alright thank you for the clarification! |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
I'm still interested in doing this, folx. |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
|
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What would you like to be added:
Based on the comment that @puerco did, it'd be better to have a base image for bom tool that includes all the necessary packages such as go, git, etc. The proper way of doing it is that use a tech stack including apko1 and melange2.
cc: @justaugustus @kaniini @imjasonh @cpanato
Why is this needed:
To provide a proper base image for bom tool that fits its needs.
#137 (comment)
Footnotes
https://github.com/chainguard-dev/apko ↩
https://github.com/chainguard-dev/melange ↩
The text was updated successfully, but these errors were encountered: