# B18 — docker base images not pinned by @sha256

Bug ref      : always.md B.18 ; pharo.md §7
Severity     : HIGH (any base-image push silently changes the build environment)
Files        : docker/ubuntu-arm64/Dockerfile, docker/debian10-armv7/Dockerfile

## Problem

```dockerfile
# docker/ubuntu-arm64/Dockerfile
FROM ubuntu:20.04
```

```dockerfile
# docker/debian10-armv7/Dockerfile
FROM debian:10
```

`ubuntu:20.04` and `debian:10` are floating tags. The image at
those tags rolls forward whenever Canonical/Debian publishes a
patched base. Reproducible builds and supply-chain integrity both
require pinning to an immutable digest.

## Fix

Replace each tag with a `@sha256:<digest>` reference.

```diff
diff --git a/docker/debian10-armv7/Dockerfile b/docker/debian10-armv7/Dockerfile
index 71956c81e..5f5e01b40 100644
--- a/docker/debian10-armv7/Dockerfile
+++ b/docker/debian10-armv7/Dockerfile
@@ -1,4 +1,7 @@
-FROM arm32v7/debian:buster as base
+# Pin to an immutable digest so the base image cannot silently change.
+# Operator: replace <FILL_IN_DEBIAN_DIGEST> via `docker buildx imagetools
+# inspect arm32v7/debian:buster` after verifying upstream policy.
+FROM arm32v7/debian:buster@sha256:<FILL_IN_DEBIAN_DIGEST> as base
 WORKDIR /opt/pharo
 ENV TZ=Europe/Paris
 RUN set -eu; \
diff --git a/docker/ubuntu-arm64/Dockerfile b/docker/ubuntu-arm64/Dockerfile
index baf18fdf4..7a453c1b7 100644
--- a/docker/ubuntu-arm64/Dockerfile
+++ b/docker/ubuntu-arm64/Dockerfile
@@ -1,4 +1,7 @@
-FROM arm64v8/ubuntu as base
+# Pin to an immutable digest so the base image cannot silently change.
+# Operator: replace <FILL_IN_UBUNTU_DIGEST> via `docker buildx imagetools
+# inspect arm64v8/ubuntu` after verifying upstream policy.
+FROM arm64v8/ubuntu@sha256:<FILL_IN_UBUNTU_DIGEST> as base
 WORKDIR /opt/pharo
 ENV TZ=Europe/Paris
 RUN set -eu; \
```



Obtain the current digest from `docker buildx imagetools inspect
ubuntu:20.04 | grep -E 'Digest|MediaType'` and substitute.

## Test plan

- `docker build .` succeeds with the pinned digest.
- Update the digest to a known-invalid value: build fails with a
  manifest-not-found error.

## Risk notes

- Pinning means the image will lag upstream security updates until
  the digest is bumped. Mitigate by running `docker buildx imagetools
  inspect` quarterly (or on every release) and updating the pin.
- For arm64/armv7 multi-arch tags, ensure the digest you pin refers
  to a multi-arch manifest or to the specific architecture variant
  needed for that Dockerfile.