Please remove openSUSE from the official library #5371
Comments
|
It's a little bit harsh to blame us open source maintainers for the outdated images there (so I'd appreciate if we toned down the heavy-handed wording here; we're all doing our best ❤️) -- our process turned out to not be a good fit for the openSUSE image maintainers (which as far as we understand, are representing openSUSE appropriately while maintaining that image), which is what led to docker-library/docs#1224 (which is where the notice at the top of https://hub.docker.com/_/opensuse/ came from). From the looks of the deprecation notice that @Vogtinator wrote in that documentation update, the If the deprecation notice is considered insufficient and the image maintainers agree, we would be happy to remove the tags on that repository, which I believe is probably the best compromise for the user experience we could offer -- if we delete the repository completely, users who are currently using cc @flavio @jordimassaguerpla @davidcassany @Vogtinator (Just to be explicitly clear, no matter which way we go here, if we delete artifacts the user experience changes to We should also update the "short description" to include the deprecation note so that it's more obvious both in the Hub web UI search and via It is absolutely not our intention to misrepresent openSUSE in any way (quite the opposite, really), so we apologise for any confusion or trouble this may have caused and hope we can find an amenable solution to get users on the right track here. ❤️ |
I agree that the issue was worded a bit too harsh - I'm sure we can find a good compromise that works well for all sides (docker-library, openSUSE and users).
Correct, but the process (which mangles binaries, so they technically aren't provided by openSUSE anymore) is not the only issue here. The "vulnerability scan" is severely misrepresenting our images as it does hard comparisons against RedHat package versions, resulting in "red" state for all of our tags currently.
Right, but unfortunately this PR is not enough - the clearly marked as deprecated image does not show up on any other page, which means that "opensuse" is still the first result when searching for "opensuse" and labeled with "official".
Correct - so I'd prefer if that is still reachable until EOL, to prevent user disruption.
That means https://hub.docker.com/_/opensuse/ will no longer show anything, right?
IMO that's still insufficient as long as it turns out to be the first result on the search result page. It's a good first step though. What I would see as the best option is to hide the entire |
|
Thanks for being open with us. ❤️ A lot of this is more issues with the Hub (and not necessarily things we can fix directly), but I'll do my best to address each point more directly. 👍
We totally agree (see https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves for our FAQ entry that attempts to combat this question for our users as best we can), although that's not something we have any control over -- that's a Hub feature. 😞 It would probably be worthwhile to open an issue with Docker's support to perhaps get their security scanner updated to at least detect SUSE separately so they can disable their scans?
Right, that's what I was trying to help overcome with the suggestion for updating the short description as well, since that shows up in all search places and would make the deprecation much more obvious than it is now. 😅 (More on this below.)
Totally sane -- have there been package updates in openSUSE 42.3 that would be worth incorporating in updated bits on that tag? If so, anything I can do to help with that? (If not, feel free to ignore. 😅❤️)
That would mean we can update that image description to something more explicit/helpful for directing users (if the current notice is deemed insufficient), and yes, https://hub.docker.com/_/opensuse?tab=tags would then be empty. We could start by removing everything except the still-supported
I'm not aware of any Hub features that would allow hiding a repository but still allowing it to be pullable (nor do they support any kind of redirection that I'm aware of), and I think hiding the repository would still make the user experience for users looking for the old Basically what I'm proposing is that we turn https://hub.docker.com/_/opensuse into essentially an old fashioned "landing page" for the https://hub.docker.com/u/opensuse images, since that's the best we can do. Then when users try to rebuild or recreate things based on IMO this gives us a decent balance of getting rid of these old artifacts and helping users find what they really want to be using instead. Does that make sense? |
I just read the FAQ and it doesn't even mention "false positives" at all.
AFAIK that already happened several times a while ago and nothing has happened. I don't expect any progress here :-/
Nothing security related AFAICT, so the current image should be fine.
Not just yet - we should try to make the description complete before users want to look up what happened.
The current (short) description isn't good enough - some still think that the "library/opensuse" image is the correct one to use. How can it be changed? I copied all tags from library/opensuse into opensuse/archive and it probably makes sense to redirect there for those who still use the old images for some reason.
I agree.
Yes, sounds like a plan. @sysrich, what do you think? |
|
@Vogtinator 👍 sounds like a good plan to me too Thanks ❤️ |
If you've got some suggested wording, I'd be happy to review/carry it in -- it was originally intended to, but I think that point got lost along the way (since there is a lot of info there / ways a scanner like that can be misleading or outright wrong). 😅
The best way would be a PR against https://github.com/docker-library/docs/tree/master/opensuse (specifically |
Here: docker-library/faq#4
Ah, that's where the short description is coming from - PR is on the way: docker-library/docs#1420 I just noticed another weirdness on the hub: It always says that the "library/opensuse" image was updated "an hour ago" even if this isn't remotely true. Why is that and can anything be done against it? |
Unfortunately not something we have any insight into (although we've reported it to the Hub folks with no response so far) -- as far as I can tell, it only shows glitched like that on search though; if you query the unofficial Hub API (https://hub.docker.com/v2/repositories/library/opensuse/), you get |
We're using deprecated opensuse images [1] [2] which has been now removed, which cause travis failures. Replace them with the official ones. [1] https://hub.docker.com/_/opensuse/ [2] docker-library/official-images#5371 Signed-off-by: Petr Vorel <pvorel@suse.cz>
We're using deprecated opensuse images [1] [2] which has been now removed, which cause travis failures. Replace them with the official ones. + Add required gzip package, which is not installed by default. [1] https://hub.docker.com/_/opensuse/ [2] docker-library/official-images#5371 Signed-off-by: Petr Vorel <pvorel@suse.cz>
|
@Vogtinator are we ready to move forward on removing the remaining tags here now, or should we continue to wait a bit? |
|
@tianon I don't see any reason to wait longer, you've got my permission to go ahead. |
|
docker-library/docs#1518 is updated/pushed and the final remaining tags are now removed 👍 ❤️ |
As much as it is nice to have the attention produced by having openSUSE in the official library, the reality is that none of the images on https://hub.docker.com/_/opensuse/ are valid offerings of the openSUSE Project
The official library curation process has proven to be far too slow for the actual rate of change of openSUSE Tumbleweed and Leap, and issues like #527 which hoped to rectify the situation have gone unanswered and unresolved for years
The images at https://hub.docker.com/r/opensuse/ are the only valid source of truth for valid openSUSE images, but this is not well reflected on hub.docker.com, with searches prioritising the invalid images as 'official'
The status quo is causing serious practical problems for users, with anyone using
opensuse:tumbleweedgetting an image that is phenomenally out of date and potentially vulnerable compared toopensuse/tumbleweedAs Chairman of the openSUSE Board I am also concerned about the Trademark and Copyright implications of Docker Hub redistributing out-of-date and unsupported openSUSE images as "official".
Therefore please can the openSUSE images be removed from the official library?
The text was updated successfully, but these errors were encountered: