[_joel]

Or you could tag a little more optimally.

[rileymichael]

Tags are mutable, digests aren't.

[_joel]

Why, how often do you change tags after you've built a container and for what reason if so?

[jonjonsonjr]

Digests cryptographically guarantee that you get the correct content, which prevents both malicious tampering (mitm, stolen credentials, etc) or accidental mutations. This is why "immutable tags" are a bad substitute and an oxymoron.

There are also better caching properties when using content addressable identifiers. For example with kubernetes pull policies, using IfNotPresent and deploying by digest means you don't even have to check with the registry to initialize a pod if the image is already cached, which can improve startup latency.

[darkwater]

> There are also better caching properties when using content addressable identifiers. For example with kubernetes pull policies, using IfNotPresent and deploying by digest means you don't even have to check with the registry to initialize a pod if the image is already cached, which can improve startup latency.

While agree on the unquoted part, this is true also for human-readable (aka mutable-that-should-be-immutable) tags, when that pull policy is set (which is by default for everything that is not `latest`)

[knicknic]

With a sha you shouldn’t have to change the pull policy. However there isn’t a need for always if you have the sha.