Ensure Pin version in 'apt-get' install

Version pinning forces the build to retrieve a particular version regardless of what's in the cache. This technique can also reduce failures due to unanticipated changes in required packages.

Risk Level: medium
Platform: Docker
Spectral Rule ID: DOCKR004


If the image previously used an older version, specifying the new one causes a cache bust of apt-get update and ensures the installation of the new version. Listing packages on each line can also prevent mistakes in package duplication.

RUN apt-get update && apt-get install -y \
aufs-tools \
automake \
build-essential \
curl \
dpkg-sig \
libcap-dev \
libsqlite3-dev \
mercurial \
reprepro \
ruby1.9.1 \
ruby1.9.1-dev \
- s3cmd \
+ s3cmd=1.1.* \
&& rm -rf /var/lib/apt/lists/*

Read more: