search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

Shall we move the test Docker image somewhere else? #1222

Open nishakm opened 1 year ago

nishakm commented 1 year ago

Docker is sunsetting free teams account. We host a docker image in the "vmware" namespace that we use in tests. Is this namespace going away? Should we move this image somewhere else? cc: @rnjudge

rnjudge commented 1 year ago

Thanks for raising this @nishakm! According to https://github.com/docker/hub-feedback/issues/2314#issuecomment-1468574145 "Docker has a specific DSOS program for open-source projects, and it is not affected by the sunsetting of Free Team plans."

So it seems like Tern needs to apply for this and move the image there. If we dont get accepted, then we will need to move the image somewhere else.... GHCR seems like the next best option?

rnjudge commented 1 year ago

Hmm.. according to DSOS requirements, the image we keep on Dockerhub must:

Be in active development (this means image updates are pushed regularly within the past 6
months or dependencies are updated regularly, even if the project source code is stable)

We have not updated the test image in 3 years (lol). Looks like we should look at GHCR.

nishakm commented 1 year ago

I will leave a comment about our usage of Dockerhub. We may be able to get some suggestions as to how to test without dockerhub.

Vad1mo commented 1 year ago

If, for some reason, the Docker-Sponsored Open-Source Program isn't working out, we are happy to help you out. We operate a Harbor-based container registry as a service that has many benefits over most of the other registries out there.

There are also features regarding containerized image distribution, that might be valuable too as well.

Don't underestimate the value of owning and controlling your data, it is easier to migrate if the domain is under your control.

Vad1mo commented 1 year ago

btw. also happy to helm you display tern date in Harbor

nishakm commented 1 year ago

If, for some reason, the Docker-Sponsored Open-Source Program isn't working out, we are happy to help you out. We operate a Harbor-based container registry as a service that has many benefits over most of the other registries out there.

Thanks! We only have one image we use for testing the client side APIs. I suppose we could run a Harbor container on the CI runner and keep the image as a tarball as part of the test data, but that would be too much trouble. We don't distribute any containers (we may do it in the future).

rnjudge commented 1 year ago

Looks like Docker decided to roll back the sunset of free teams accounts. We should still probably start to think about our plan when they inevitably implement this, though.