Feature Request: Unique Tags for the Images

[kamulos]

I think it would be useful to have image tags that point to a specific image version and stay on that version. I have two motivating examples where this would help:

First: if there is a CVE in the distroless container I want to be able to commit an update and make sure everybody gets the updated version. When using mutable tags like latest sometimes a cached version might be used, which still contains the CVE.

Second: I want to be able to stay on a specific version or recreate it in the future. If the image just updates in a future build it could introduce bugs or hide cves from a scan.

A possible image tag would be the date of publishing.

[loosebazooka]

pinning container images is typically done with the sha256 instead of a tag and is probably what I would recommend. Have your tooling do updates based on tags and write down sha256.

we also publish commit hash tags -- though I added those mostly for people wanting to tracing backwards to the build.