Node v5.1.1, v4.2.3, v0.12.9, v0.10.41

[billinghamj]

4 new versions of Node were released today to resolve various security issues in OpenSSL, V8 and Node itself.

Could you add these to Docker Hub please?

Thanks!

[retrohacker]

Hey @billinghamj,

Sorry for the delay, (the process of getting them onto hub is still a manual one), they are building locally now! Will push soon :smile:

[retrohacker]

@billinghamj I stand corrected. It looks like we are building the binaries in the upstream repo right now, once they become available there I'll trigger the build here.

[billinghamj]

Any chance this might get resolved today? Very keen to update to deal with the vulnerabilities.

[xmikus01]

+1

[d6u]

+1

[retrohacker]

Hey everyone. The registry is updated now and the builds have been triggered. The Docker registry doesn't have an API endpoint for updating automatic build tags yet, so we are still doing it by hand which adds to the time. There were ~140 changes that need to be made when shipping these. Looking into better solutions that will allow us to ship faster.

[d6u]

@wblankenship Thanks for your work. Our production app depends on the nodesource docker image. It has been in very high quality.

[retrohacker]

Thank you for the kind words @d6u :heart:

Would love to chat sometime about your use of the images: wblankenship@nodesource.com

[xmikus01]

@wblankenship Thanks for your work. I wanted to rebuild our image but I realized, that there is no update. I'm using nodesource:trusty/4 image tag. It seems tag 4 and 4.2 was forgotten to update (and possibly others). They are also missing from build page: https://hub.docker.com/r/nodesource/trusty/builds/

Also from command line can be seen that the digest for logically same image differs:

$ docker pull nodesource/trusty:4.2.3
Digest: sha256:c6257044c78b2cb7a50dc621716aff4b0951bc69cdced25bfb22b49a49c706fd

$ docker pull nodesource/trusty:4.2
Status: Downloaded newer image for nodesource/trusty:4.2

$ docker pull nodesource/trusty:4
Digest: sha256:46afe50c84b4b98ac51d9ed51d7fdb7877902a9e1edd71892090d139c0db232a

Do you still support tags prefixes or they were forgotten by mistake?

[retrohacker]

@xmikus01 I'll break this up into two parts, both of which are super weird.

Part 1: Not having an update for 4

The 4[.2[.3]] values were updated in the automated build settings. I just visually verified:

I also have a tool that verifies this for me (since I can't get an API to automate the updates). When dealing with 400+ Docker images each with several aliases, human error causes quite a bit of drift so I don't trust myself to maintain it by hand. https://github.com/nodesource/docker-node/blob/master/tools/registry_diff.js

I pulled down nodesource/trusty:4 and can confirm that it is 4.2.3

That being said, this wouldn't be the first time the Docker Registry didn't properly update a tag. We are considering dropping the Automated Build tag and uploading our own build logs and pushing our own images (we generate thorough logs every-time we run our integration tests).

Part 2: Digest not matching

I have rarely been able to get the digests to match on Automated Builds, even when the Dockerfiles are aliases. I think the culprit is the apt-get commands, and the downloads not being deterministic enough (perhaps timestamps?) to generate an identical hash.

Again, this would be solved by dropping the Automated Build status.

I hope to propose a better solution for all of this in the coming weeks.

[xmikus01]

@wblankenship Thank you for your very detailed response. You are right, I must apologize for my lack of consistency in the search for the real cause. I was led down to the wrong path believing the Docker Hub tags page and my ignorance of different hashes for the same image aliases.

I understand that it must be a very big task to build a such big number of images without appropriate API and support for full automation and I very appreciate your effort to make things better :-)