Re: [rdf4j-dev] removing old docker images from dockerhub / vulnerabilit

["Jeen Broekstra" <jeen@xxxxxxxxxxxx>]

On Fri, 18 Nov 2022, at 11:25, Bart Hanssens (BOSA) via rdf4j-dev wrote:

Hi Jeen,

 

It _might_ be useful to keep some older versions on dockerhub to quickly check if an issue is a regression

(then again, we might just use the SDK for that… so I wouldn’t mind just keeping the latest version and delete the rest)

I'll go with that for now, and just delete all old images. If we find we need them again, we can always re-build.

Going forward, shall we try and make it a habit to delete older images as soon as we have pushed a new release? Not sure there's a cli command that we can use for that to automate, if not we'll have to log in via the website and manually delete them...

 

As for automated scanning, it would be great if Eclipse Foundation would provide e.g. Snyk.io subscription,
but if I recall correctly hub.docker is not considered to be core infrastructure by Eclipse …
(rather an extra service due to popular demand)

True. However Snyk itself has a free tier for open-source, which you can use from the command line (via docker scan), so at the very least I think we can make sure we do a docker scan regularly from the command line.

Jeen