| Re: [rdf4j-dev] removing old docker images from dockerhub / vulnerability scanning |
I've been doing a bit of a browse through some other Eclipse projects publishing docker images, and from what I can see, actually quite a few of them don't bother updating images beyond just pushing new releases of the tool itself. So perhaps you're right Håvard.I think we do need to add something about the availability of these images to our download pages, and make it clear how these images are maintained. I would suggest that we still offer the option to publish a refreshed version of an older image _upon request_. I'll write something up and put it up as a PR for review.I'll also take a quick look at a republish of at least a 4.1.3 and 3.7.7 image.JeenOn Sat, 19 Nov 2022, at 09:07, Jeen Broekstra wrote:On Fri, 18 Nov 2022, at 20:00, Håvard Ottestad wrote:Hi Jeen and Bart,I recommend we keep the older versions around just like how we keep older versions of RDF4J around on maven central.Ah I jumped the gun and removed them.Users who want to use an older image can very easily extend it and call the equivalent of apt-get update && apt-get upgrade if the open-ssl vulnerability is important for them to fix.I don't think this is something we can palm off to our users. It's our responsibility.I think that deleting the images would come as a bit of a surprise for those users who are currently using them. Docker will cache them locally, just like how maven does, but if they try to set up a new computer it will be missing.Given they're gone now we can rebuild a few obvious ones (recent minor/major releases), if we want to go this way.But we'll have to come up with a clear policy on this. My personal view is that is if we say "we provide a docker image for you to use RDF4J 3.0" then it is _our_ responsibility to keep that docker image up to date and safe to use. But happy to discuss alternatives.JeenHåvardOn 18 Nov 2022, at 02:07, Jeen Broekstra <jeen@xxxxxxxxxxxx> wrote:On Fri, 18 Nov 2022, at 11:25, Bart Hanssens (BOSA) via rdf4j-dev wrote:Hi Jeen,
It _might_ be useful to keep some older versions on dockerhub to quickly check if an issue is a regression
(then again, we might just use the SDK for that… so I wouldn’t mind just keeping the latest version and delete the rest)
I'll go with that for now, and just delete all old images. If we find we need them again, we can always re-build.Going forward, shall we try and make it a habit to delete older images as soon as we have pushed a new release? Not sure there's a cli command that we can use for that to automate, if not we'll have to log in via the website and manually delete them...
As for automated scanning, it would be great if Eclipse Foundation would provide e.g. Snyk.io subscription,
but if I recall correctly hub.docker is not considered to be core infrastructure by Eclipse …
(rather an extra service due to popular demand)True. However Snyk itself has a free tier for open-source, which you can use from the command line (via docker scan), so at the very least I think we can make sure we do a docker scan regularly from the command line.Jeen_______________________________________________rdf4j-dev mailing listrdf4j-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/rdf4j-dev_______________________________________________rdf4j-dev mailing listTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/rdf4j-dev_______________________________________________rdf4j-dev mailing listTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/rdf4j-dev_______________________________________________rdf4j-dev mailing listTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/rdf4j-dev