Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [rdf4j-dev] removing old docker images from dockerhub / vulnerability scanning
  • From: "Bart Hanssens (BOSA)" <bart.hanssens@xxxxxxxxxxxx>
  • Date: Thu, 17 Nov 2022 22:25:14 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bosa.fgov.be; dmarc=pass action=none header.from=bosa.fgov.be; dkim=pass header.d=bosa.fgov.be; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DijXEAeF7A5JTYkOX+636nrp7YT6DGmjFN22UB6cYk8=; b=E1WfyNbsFyHzCV7aCU/PE9J5ITyxchsT4kg16M4OeEn71jD748T8qE5s66l2CDIBKlcas3+PDAjTRvCWkAaANAs/rcSSGia1EHGFijx1S/ce4sOPhdaejsNZtHoy3v44BmuBTg6SH8cQ9VLLJ2cBXC3n5BRvOgfrpQbbqCjdXGlJ3YqiRKg6QhSQXreRql2I43Nw+KrTtjjEkdjJik/pik8pSSxMU/3OjObkGc2WldPpXnvz1Lumkib/Ves4NVXcHpjvJWyloeWyuxFusPhGmQEm/WPwbx1fbJs99KX1PpM9V3TFI/u7wHT/JpXKuqDTqfBXjRqa+v+Q0P/0z+TodQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Hvetvat+lsmGP5kk2alS8bJNkXf8zLxlFZHgWb7mA7px5rKnNdlJEMSB0UuRQK6MQfWFlOvPCW06sVUb5kN1wyfuLHIoRc1ZGNtLWzuatD06CPBnainREarhOxImDukldUAdSwiY5itd9iR5mlM5GIKOPE5+AWjaTMA3SKp77o3Sw9t0pxLDQj7SkkRd9C/a4TO0NXqZHQTCH7n0YOG0oIpmzZe7CZFbmTxBQWvLYZjNuZrUHVtG2wVXD0Q6M46A7xdsrMLpQAL149vtXLbJRE6VPc6Fp2JsT/o6xwkaXJAyQnlUruAgTZJ+QhlBvEVF7obAUbZ5F6bvZBHy+fbVsw==
  • Delivered-to: rdf4j-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/rdf4j-dev/>
  • List-help: <mailto:rdf4j-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/rdf4j-dev>, <mailto:rdf4j-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/rdf4j-dev>, <mailto:rdf4j-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHY+sS7G8T8XhWPHEKkFn7wQts8pK5Dm2TA
  • Thread-topic: [rdf4j-dev] removing old docker images from dockerhub / vulnerability scanning

Hi Jeen,

 

It _might_ be useful to keep some older versions on dockerhub to quickly check if an issue is a regression

(then again, we might just use the SDK for that… so I wouldn’t mind just keeping the latest version and delete the rest)

 

As for automated scanning, it would be great if Eclipse Foundation would provide e.g. Snyk.io subscription,
but if I recall correctly hub.docker is not considered to be core infrastructure by Eclipse …
(rather an extra service due to popular demand)

 

 

Best regards

 

Bart

 

From: rdf4j-dev <rdf4j-dev-bounces@xxxxxxxxxxx> On Behalf Of Jeen Broekstra
Sent: donderdag 17 november 2022 21:39
To: rdf4j developer discussions <rdf4j-dev@xxxxxxxxxxx>
Subject: [rdf4j-dev] removing old docker images from dockerhub / vulnerability scanning

 

Currently, we have docker images for about 20 versions of RDF4J published to Dockerhub (see https://hub.docker.com/repository/docker/eclipse/rdf4j-workbench). However, we tend not to refresh those images, meaning that any security fixes that get published for the base images we rely on do not get pushed. As a result, most of these older version are unsafe to use.

 

I can easily go in manually and just remove all images other than latest and 4.2.1, but can we think of any reasons to perhaps keep some older tagged versions around? If we do, we'll need to come up with a procedure to refresh those images periodically, and/or a way to scan them so we're aware of potential vulnerabilities affecting them.

 

Thoughts?

 

Jeen

 

Back to the top