End of Life for image "dduportal/bats:0.4.0" + Next Steps

[dduportal]

Is your feature request related to a problem? Please describe.

Hi there! I discovered a few days ago that my personnal Docker image dduportal/bats is used in the Helm cart, while trying to delete the tag 0.4.0.
2 days ago, someone opened an issue on my github repo about this image tagged as vulnerable: dduportal-dockerfiles/bats#10, which is true as this is only a simple side project for me + there are more recent tags.

I would like to define with the project what would be the next steps as I could have had a negative impact on this project, without being aware of it. It is an operational risk for the Helm Charts on different level, and even if I'm happy to provide a useful tool, there should be an upgrade to make helm chart distribution/auhtoring safer and trustable.
What if someone steal my Docker Hub credentials or Github credentials and inject bad code in this image?

Describe the solution you'd like

• Switch out from my image to a helm/bats image, built from a trustable github / DockerHub, or maybe https://hub.docker.com/r/bats/bats ?
  • Trustable Delivery Chain is a plus
  • No dependency on a single person :)
• Adapt the content of the image to have up-to-date dependencies, and maybe a smaller OS to limit the maintenance and attack vectore
  • Already done on my personal image with the tags v1.1.0 (switched to Alpine), even though it introduces changes and other dependencies (bats-asserts libraries for instance)

Describe alternatives you've considered

I.D.K.

Additional context

Happy to help on the implementation, but such a discussion should happen publicly here as a community right?

If you feel anything I said is wrong, not well formulated, not understandable, not well said, I aplogie in advance, and please feel free to correct me or tell me!

By the way: thanks a lot for all this awesome work people!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[dduportal]

/bump

(reason: waiting for an answer on #19526 )

[dmpe]

I think we well need to contact each project individually, unfortunately. @dduportal

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[dduportal]

/bump

(reason: WiP on splitting the PR after getting answers from maintainers)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[stale]

This issue is being automatically closed due to inactivity.