chore(infra): pin Docker base images by digest (DEBT-023)
All base images (debian:bookworm-slim, ubuntu:22.04, ubuntu:20.04, rockylinux:9-minimal, centos:7, alpine:3.19, fedora:39, kalilinux/kali-rolling, archlinux:latest, honeynet/conpot:latest) now carry their resolved sha256 digest so 'docker pull' is deterministic. :tag retained for human readability; @sha256 is what Docker actually resolves. Refresh procedure documented at the top of decnet/distros.py.
This commit is contained in:
@@ -18,69 +18,86 @@ class DistroProfile:
|
||||
build_base: str # apt-compatible image for service Dockerfiles (FROM ${BASE_IMAGE})
|
||||
|
||||
|
||||
# Base images are pinned by digest (sha256) to make `docker pull`
|
||||
# reproducible — a registry-side rebuild of "debian:bookworm-slim"
|
||||
# can't silently swap content under us. The :tag is kept for human
|
||||
# readability; the @sha256 is what Docker actually resolves.
|
||||
# Refresh procedure: `docker pull <tag>` then `docker inspect
|
||||
# --format '{{index .RepoDigests 0}}' <tag>`. Last refreshed 2026-05-03.
|
||||
_DEBIAN_BOOKWORM = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252"
|
||||
_UBUNTU_22_04 = "ubuntu:22.04@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7"
|
||||
_UBUNTU_20_04 = "ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214"
|
||||
_ROCKY_9 = "rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4"
|
||||
_CENTOS_7 = "centos:7@sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4"
|
||||
_ALPINE_3_19 = "alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1"
|
||||
_FEDORA_39 = "fedora:39@sha256:d63d63fe593749a5e8dbc8152427d40bbe0ece53d884e00e5f3b44859efa5077"
|
||||
_KALI_ROLLING = "kalilinux/kali-rolling@sha256:1fd0364490011f245688c6ed9fee498a11cd779badfbb0b1d3a721d0f49f2d15"
|
||||
_ARCH_LATEST = "archlinux:latest@sha256:5ba8bb318666baef4d33afefc0e65db80f38b23503cb8e7b150d315cc2d4d5da"
|
||||
|
||||
|
||||
DISTROS: dict[str, DistroProfile] = {
|
||||
"debian": DistroProfile(
|
||||
slug="debian",
|
||||
image="debian:bookworm-slim",
|
||||
image=_DEBIAN_BOOKWORM,
|
||||
display_name="Debian 12 (Bookworm)",
|
||||
hostname_style="generic",
|
||||
build_base="debian:bookworm-slim",
|
||||
build_base=_DEBIAN_BOOKWORM,
|
||||
),
|
||||
"ubuntu22": DistroProfile(
|
||||
slug="ubuntu22",
|
||||
image="ubuntu:22.04",
|
||||
image=_UBUNTU_22_04,
|
||||
display_name="Ubuntu 22.04 LTS (Jammy)",
|
||||
hostname_style="generic",
|
||||
build_base="ubuntu:22.04",
|
||||
build_base=_UBUNTU_22_04,
|
||||
),
|
||||
"ubuntu20": DistroProfile(
|
||||
slug="ubuntu20",
|
||||
image="ubuntu:20.04",
|
||||
image=_UBUNTU_20_04,
|
||||
display_name="Ubuntu 20.04 LTS (Focal)",
|
||||
hostname_style="generic",
|
||||
build_base="ubuntu:20.04",
|
||||
build_base=_UBUNTU_20_04,
|
||||
),
|
||||
"rocky9": DistroProfile(
|
||||
slug="rocky9",
|
||||
image="rockylinux:9-minimal",
|
||||
image=_ROCKY_9,
|
||||
display_name="Rocky Linux 9",
|
||||
hostname_style="rhel",
|
||||
build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian
|
||||
build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian
|
||||
),
|
||||
"centos7": DistroProfile(
|
||||
slug="centos7",
|
||||
image="centos:7",
|
||||
image=_CENTOS_7,
|
||||
display_name="CentOS 7",
|
||||
hostname_style="rhel",
|
||||
build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian
|
||||
build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian
|
||||
),
|
||||
"alpine": DistroProfile(
|
||||
slug="alpine",
|
||||
image="alpine:3.19",
|
||||
image=_ALPINE_3_19,
|
||||
display_name="Alpine Linux 3.19",
|
||||
hostname_style="minimal",
|
||||
build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian
|
||||
build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian
|
||||
),
|
||||
"fedora": DistroProfile(
|
||||
slug="fedora",
|
||||
image="fedora:39",
|
||||
image=_FEDORA_39,
|
||||
display_name="Fedora 39",
|
||||
hostname_style="rhel",
|
||||
build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian
|
||||
build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian
|
||||
),
|
||||
"kali": DistroProfile(
|
||||
slug="kali",
|
||||
image="kalilinux/kali-rolling",
|
||||
image=_KALI_ROLLING,
|
||||
display_name="Kali Linux (Rolling)",
|
||||
hostname_style="rolling",
|
||||
build_base="kalilinux/kali-rolling", # Debian-based, apt-get compatible
|
||||
build_base=_KALI_ROLLING, # Debian-based, apt-get compatible
|
||||
),
|
||||
"arch": DistroProfile(
|
||||
slug="arch",
|
||||
image="archlinux:latest",
|
||||
image=_ARCH_LATEST,
|
||||
display_name="Arch Linux",
|
||||
hostname_style="rolling",
|
||||
build_base="debian:bookworm-slim", # Dockerfiles use apt-get; fall back to debian
|
||||
build_base=_DEBIAN_BOOKWORM, # Dockerfiles use apt-get; fall back to debian
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
@@ -91,7 +91,7 @@ class DeckyConfig(BaseModel):
|
||||
services: list[str] = PydanticField(..., min_length=1)
|
||||
distro: str # slug from distros.DISTROS, e.g. "debian", "ubuntu22"
|
||||
base_image: str # Docker image for the base/IP-holder container
|
||||
build_base: str = "debian:bookworm-slim" # apt-compatible image for service Dockerfiles
|
||||
build_base: str = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252" # apt-compatible image for service Dockerfiles; digest pinned via distros.py
|
||||
hostname: str
|
||||
archetype: str | None = None # archetype slug if spawned from an archetype profile
|
||||
service_config: dict[str, dict] = PydanticField(default_factory=dict)
|
||||
|
||||
@@ -25,7 +25,7 @@ class ConpotService(BaseService):
|
||||
return {
|
||||
"build": {
|
||||
"context": str(self.dockerfile_context()),
|
||||
"args": {"BASE_IMAGE": "honeynet/conpot:latest"},
|
||||
"args": {"BASE_IMAGE": "honeynet/conpot:latest@sha256:cd93e88d9e44b020db691fc4c75cb29e76b5e90ddbc408aca26e6c78c5646976"},
|
||||
},
|
||||
"container_name": f"{decky_name}-conpot",
|
||||
"restart": "unless-stopped",
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=honeynet/conpot:latest
|
||||
ARG BASE_IMAGE=honeynet/conpot:latest@sha256:cd93e88d9e44b020db691fc4c75cb29e76b5e90ddbc408aca26e6c78c5646976
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
USER root
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
|
||||
# ── Stage 1: build the static auth-helper credential-capture binary ──────────
|
||||
# Compiled against musl so the resulting binary is fully static — runs on
|
||||
# any glibc/musl Linux without a libc version match. Stripped at link
|
||||
# time via -s so `file /usr/sbin/auth-helper` reports a generic ELF.
|
||||
FROM debian:bookworm-slim AS auth-helper-build
|
||||
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS auth-helper-build
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
COPY auth-helper/auth-helper.c /tmp/auth-helper.c
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
|
||||
# ── Stage 1: build the static auth-helper credential-capture binary ──────────
|
||||
# Same source the SSH template builds — generic over PAM service. Wired
|
||||
# into /etc/pam.d/login below so every busybox-telnetd → /bin/login auth
|
||||
# attempt is captured before pam_unix runs. Static + musl: ~38 KB ELF,
|
||||
# zero libc version coupling, runs anywhere.
|
||||
FROM debian:bookworm-slim AS auth-helper-build
|
||||
FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS auth-helper-build
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
COPY auth-helper/auth-helper.c /tmp/auth-helper.c
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
ARG BASE_IMAGE=debian:bookworm-slim
|
||||
ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -24,7 +24,8 @@ import yaml
|
||||
|
||||
from decnet.services.registry import get_service
|
||||
|
||||
_DEFAULT_BASE_IMAGE = "debian:bookworm-slim"
|
||||
# Pinned by digest; refresh procedure documented in decnet/distros.py.
|
||||
_DEFAULT_BASE_IMAGE = "debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252"
|
||||
|
||||
# 8 chars matches the git short-SHA convention; collision-safe within
|
||||
# a single deployment's network namespace.
|
||||
|
||||
@@ -494,10 +494,9 @@ The prober already computes JARM (`worker.py:286`), HASSH (`worker.py:334`), and
|
||||
### ~~DEBT-022 — Debug `print()` in correlation engine~~ ✅ CLOSED (false positive)
|
||||
`decnet/correlation/engine.py:20` — The `print()` call is inside the module docstring as a usage example, not in executable code. No production code path affected.
|
||||
|
||||
### DEBT-023 — Unpinned base Docker images
|
||||
**Files:** All `templates/*/Dockerfile`
|
||||
`debian:bookworm-slim` and similar tags are used without digest pinning. Image contents can silently change on `docker pull`, breaking reproducibility and supply-chain integrity.
|
||||
**Status:** Deferred — requires `docker pull` access to resolve current digests for each base image.
|
||||
### ~~DEBT-023 — Unpinned base Docker images~~ ✅ RESOLVED
|
||||
**Files:** `decnet/distros.py`, `decnet/models.py`, `decnet/topology/compose.py`, `decnet/services/conpot.py`, all `decnet/templates/*/Dockerfile`
|
||||
Resolved 2026-05-03. All base images now carry `image:tag@sha256:<digest>` references. Tags retained for human readability; `@sha256` is what Docker actually resolves, so a registry-side rebuild can no longer swap content under us. Pinned: `debian:bookworm-slim`, `ubuntu:22.04`, `ubuntu:20.04`, `rockylinux:9-minimal`, `centos:7`, `alpine:3.19`, `fedora:39`, `kalilinux/kali-rolling`, `archlinux:latest`, `honeynet/conpot:latest`. Refresh procedure documented at the top of `decnet/distros.py` (`docker pull <tag>` + `docker inspect --format '{{index .RepoDigests 0}}' <tag>`).
|
||||
|
||||
### ~~DEBT-024 — Stale service version hardcoded in Redis template~~ ✅ RESOLVED
|
||||
~~**File:** `templates/redis/server.py:15`~~
|
||||
@@ -705,7 +704,7 @@ user who needs it.
|
||||
| ~~DEBT-020~~ | ✅ | Docs | resolved |
|
||||
| ~~DEBT-021~~ | ✅ | Architecture | resolved `de84cc6` |
|
||||
| ~~DEBT-022~~ | ✅ | Code Quality | closed (false positive) |
|
||||
| DEBT-023 | 🟢 Low | Infra | deferred (needs docker pull) |
|
||||
| ~~DEBT-023~~ | ✅ | Infra | resolved 2026-05-03 |
|
||||
| ~~DEBT-024~~ | ✅ | Infra | resolved |
|
||||
| ~~DEBT-025~~ | ✅ | Build | resolved |
|
||||
| ~~DEBT-026~~ | ✅ | Features | resolved 2026-05-03 |
|
||||
@@ -732,5 +731,5 @@ user who needs it.
|
||||
| DEBT-048 | 🟡 Medium | TTP / Intel provider mapping review (recurring) | open / recurring |
|
||||
| DEBT-049 | 🟡 Medium | TTP / Sigma adapter (post-v1) | open |
|
||||
|
||||
**Remaining open:** DEBT-011 (Alembic), DEBT-023 (image pinning), DEBT-027 (Dynamic bait store), DEBT-028 (deploy endpoint tests), DEBT-032 (fingerprint rotation detection), DEBT-033 (transcript shard rotation), DEBT-036 (session-profile ingester), DEBT-037 (webhook delivery hardening), DEBT-038 (SSH PAM cred-capture limitations — document-only), DEBT-042 (orchestrator failure-count window), DEBT-043 (frontend test framework), DEBT-045 (EmailLifter heavyweight — partial paid; carved-out follow-ups remain), DEBT-046 (mal-hash feed), DEBT-048 (TTP intel provider mapping review — recurring quarterly), DEBT-049 (TTP Sigma adapter — post-v1).
|
||||
**Remaining open:** DEBT-011 (Alembic), DEBT-027 (Dynamic bait store), DEBT-028 (deploy endpoint tests), DEBT-032 (fingerprint rotation detection), DEBT-033 (transcript shard rotation), DEBT-036 (session-profile ingester), DEBT-037 (webhook delivery hardening), DEBT-038 (SSH PAM cred-capture limitations — document-only), DEBT-042 (orchestrator failure-count window), DEBT-043 (frontend test framework), DEBT-045 (EmailLifter heavyweight — partial paid; carved-out follow-ups remain), DEBT-046 (mal-hash feed), DEBT-048 (TTP intel provider mapping review — recurring quarterly), DEBT-049 (TTP Sigma adapter — post-v1).
|
||||
**Estimated remaining effort:** ~21 hours plus the new EmailLifter / TTP follow-ups. DEBT-030 Phase B (optimistic staged-buffer editor) is a follow-up, not debt.
|
||||
|
||||
Reference in New Issue
Block a user