Pull images via sha256 instead of tag
Node operators currently do a lot of
make update especially during MCCN. This will pull down new containers where the tag has been changed, e.g updating Ethereum client from
This is extra unnecessary attack surface for node operators to pull in modified binaries and execute. A sophisticated nefarious attacker who gained access to Docker images could modify them to steal keys and when 2/3 of node operators update.
Instead of pulling tags, we should pull sha256 checksum from known good CI builds (or official Ethereum releases) - that way, the node-launcher repo is in control of what binary is executing on cluster. This significantly lowers attack surface.