what are immutable tags in docker

Question

i saw a stackoverflow answer where immutable tags are mentioned and googled further to understand what they exactly are, found a article where they said

A static, or immutable, tag always points to the same image. This is useful when you depend on a specific revision of an image For example, if you use the tag 3.4.13-debian-10-r8, this tag will always refer to v3.4.13 revision 8 of the image. The use of this tag ensures that users get the same image every time.

not much of an expert in docker, does the above quoted text mean whether it points to same image with same version, or does it mean it points to same base image with updated versions as well?

also in the same answer, it was mentioned about moving tag here,

what does it mean by moving tag?

Answer 1

In the registry, all content is content addressable, referenced by a digest (currently sha256). If you pull an image with its digest, it is always the same thing since the digest for the image layers and configuration are packaged in a manifest that has its own digest, resulting in something that looks like a Merkle tree.

Since humans are not good at understanding and remembering digests, we have tags. These tags are readable strings that get translated to the digest by the registry. The tags are effectively a pointer.

On most registries, you can push a new image to a tag, replacing where the tag points. If you have a tag for v1.0, you may also push a tag for v1, and any user that wants the latest release of v1 pulls the v1 tag. So when you push v1.1, you also push v1, changing that pointer. Those are mutable tags, or what some may describe as a moving tag.

Some registries support immutable tags, so that once the tag is pushed, it can never reference a different digest. If the registry doesn't support this, some organizations may implement this as policy. That said, you're depending on the registry and the administrators to be well behaved, so security will still recommend using digests when you really want immutable images.