AdoptOpenJDK / openjdk-docker

Scripts for creating Docker images of OpenJDK binaries.
https://hub.docker.com/_/adoptopenjdk/
Apache License 2.0
425 stars 236 forks source link

Please remove dockerhub Images you don't update regularly #569

Open hashworks opened 3 years ago

hashworks commented 3 years ago

In your dockerhub account are multiple image repositories that are over a year old and suffer from multiple security issues. Some of them have over 500k downloads and are still in use. Please remove them.

karianna commented 3 years ago

We won't be removing old images (as that will break users) but we'll investigate sending signals about the obsoletion of these.

grzesuav commented 3 years ago

@hashworks removing them will cause many builds over many places to fails, as they won't be able to download it. So IMO adoptium should never remove any valid image from dockerhub.

Imagine that you have dockerfile using one of those for 5 years and suddently it stops working, I guess you won't be happy as it will force you to search mirror or to do ad-hoc migrations (which can not be an easy one)

hashworks commented 3 years ago

On my end I only noticed that people use those old images because builds where failing when the outdated libraries where unable to connect to our TLS endpoints.

Failing builds may be the only thing that causes people to use updated images instead of the same one for five years. What is better, a failed build that can be fixed in no time or run into security issues or bugs caused by an unmaintained image? I see no other way to reach out to those people than to remove them.

If you really want to keep those images you have to maintain them (add security patches and the like) IMHO.