Curl Container
This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images available from the following registries:
- quay.io: curl images distributed by Quay.io
- docker.io: curl images distributed by docker.io
- github packages: development curl images
To pull an image:
> podman pull quay.io/curl/curl:latest
To run an image:
> podman run -it quay.io/curl/curl:latest -V
To use base image:
from quay.io/curl/curl-base:latest
RUN apk add jq
How to verify images
To view curl image signature use sigstore cosign tree:
> cosign tree ghcr.io/curl/curl-container/curl:master
Images are verified with this public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji
5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg==
-----END PUBLIC KEY-----
Verify image using cosign.pub public key using sigstore cosign verify:
> cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master
Contact
If you have problems, questions, ideas or suggestions, please raise an issue or contact curl-container team or Jim Fuller directly.
Development curl images
The following images are available via github packages.
Master branch built regularly:
- curl-dev:master - curl-dev master branch
- curl-base:master - curl-base master branch
- curl:master - curl master branch
- curl-multi:master - curl multiarch master branch
- curl-base-multi:master - curl-base multiarch master branch
A set of special case images built regularly:
- curl-exp:master - curl master branch built enabling expiremental features
Platform specific dev images built daily:
- curl-dev:master - alpine based development environment
- curl-dev-debian:master - debian based development environment
- curl-dev-fedora:master - fedora based development environment
To use any of these development images;
> podman run -it -v /Users/exampleuser/src/curl:/src/curl ghcr.io/curl/curl-container/curl-dev-debian:master zsh
> ./buildconf
> ./configure
> make
Note- dev images are not specifically scanned for vulnerabilities and we currently pin to latest which always has vulns ... use at your own risk. Perhaps we could consider pinning to a later 'vintage'.
Dependencies
Either of the following are required to use images:
The following are required to build or release images:
- buildah: used for composing dev/build images
- qemu-user-static: used for building multiarch images
Release
Curl images roughly match curl own release schedule, though we may release multiple versions of the same curl version. In that instance we append a number (ex. 8.1.2-1) though do not rev the version number used in registries.
The release process is as follows:
- create new branch (ex. v8.1.2)
- update VERSION to match curl version
- update CHANGELOG.md
- raise prep PR, review and merge
- create new release with new tag ( ex. 8.1.2 ) based on previously created branch
- new tag will trigger CI for publishing to quay/docker
