janhoy commented on pull request #1769: URL: https://github.com/apache/lucene-solr/pull/1769#issuecomment-728787567
+1 to lighter weight. However, our users should somehow be able to verify that a Docker image pulled from Docker Hub (or downloaded from elsewhere) is indeed the officially voted-upon binaries that they find in the release repo. Downloads from mirrors are easy to verify as we provide `.sha512` and `.asc` files for them. Likewise [artifacts from maven](https://repo1.maven.org/maven2/org/apache/solr/solr-core/8.7.0/) also have `.asc` and `.sha1` files for every jar. Current docker-solr Dockerfile can be inspected in that it downloads the official tarball and validates GPG signature. The lightweight Dockerfile performs no such checks and cannot be validated the same way. So here is my proposal. We build the docker image from folder instead of tgz, but also add documentation to our [download page](https://lucene.apache.org/solr/downloads.html) on how to verify the solr binaries inside the image. Could even script it: curl -o verify-docker.sh https://lucene.apache.org/solr/verify-docker.sh docker run --rm -v ./verify-docker.sh:/verify-docker.sh apache/solr:9.0.0 sh /verify-docker.sh ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
