Document tracebox supply-chain limitation in Dockerfile

greenc-FNAL · Copilot · greenc-FNAL · commit 62f6c6c54974 · 2026-03-20T21:23:14.000-05:00
The Perfetto project currently offers no versioned or checksum-verifiable
standalone tracebox binary download. Add a comment noting this known
limitation so it is visible for future remediation.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -300,7 +300,11 @@ wget -O perfetto.h https://raw.githubusercontent.com/google/perfetto/${PERFETTO_
 wget -O perfetto.cc https://raw.githubusercontent.com/google/perfetto/${PERFETTO_VERSION}/sdk/perfetto.cc
 chmod 644 perfetto.h perfetto.cc
 
-# Install tracebox for system-wide profiling
+# Install tracebox for system-wide profiling.
+# Note: get.perfetto.dev/tracebox serves the latest binary with no versioned
+# or checksum-verifiable download currently offered by the Perfetto project.
+# Revisit when the project provides versioned tracebox releases with integrity
+# metadata.
 wget -O tracebox https://get.perfetto.dev/tracebox
 chmod +x tracebox
 mv tracebox /usr/local/bin/
