-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
images should be rebuilt altogether #147
Comments
@chulkilee |
I didn't say I had particular security problems. However, if you check out "Security Scanning service" of any images (not only To minimize the issue, "official" images should be rebuilt periodically to pick up those changes. |
I see you're asking a infrastructure level periodically rebuilding service, which may better ask to https://github.com/docker-library/official-images/issues ??
it's true that old Erlang versions remain there, but 1) we do not have permission to delete any old image ( you may ask to official-images ) ; 2) they do exist for a reason, for example the tag
I don't feel the
I agree it should , but who is going to do such monitoring and force rebuild work, I do believe it's beyond someone's spare time can do; if you are one from some software security company, you will be welcome to contribute your effort to keep all older historical version images also up to date and free from vulnerabilities, it would need extra computing resources (= money) or software engineer's dedicated time ( also = money ); So either ask Official-images (the Docker Inc ) or your company donate it, or wait this repo has more active contributors ( so far the number is 2 ) from this repo's current status, the best advice I can give is to keep image built time, and keep upgrading, in the examples above, do not stick on |
First of all, thanks a lot for maintaining this. If it sounds like I "demanded" it, then it's my fault. I'm just not familiarwith Docker official image process (I only have several automated images on docker hub, which does all jobs for me). According to Library definition files section
So, official image maintainers doesn't do anything to trigger rebuild. The manifest file just need to keep containing those tags. Good news! And here are findings:
And here is the implicit policy from it..
What's unfortunate is.. this "policy" is not documented anywhere in Docker Hub or doc. I'm not blaing this specific erlang image - don't get me wrong! I'm going to close this as it doesn't need any further actions (unless we want to keep all images listed in docker image page :) ) However, for future work, it would be interesting to see how many people use version-specific image (therefore already out-dated or soon-to-be outdated images), and how quick people want to (and actualy do) upgrade erlang version as new version is released. |
Found that https://hub.docker.com/r/library/erlang/tags/ lists images for old Erlang versions, and they haven't been updated for a while.
This will result in missing security fix on base image!
I don't know how all things work together... but
based on https://github.com/docker-library/official-images/blob/master/library/erlang the manifest file is generated by https://github.com/erlang/docker-erlang-otp/blob/master/generate-stackbrew-library.sh
The text was updated successfully, but these errors were encountered: