Add labels for minor versions about sig-cloud-instance-images HOT 5 CLOSED

I very much actively do not want to do this for several reasons, but I'm open to listening. If you can provide a good reason for doing so, I will reconsider. My reasons against it are:

1. The images are very minimal. Any subsequent packages you install for an application dependency will pull from the current release (in this case 6.6). This means you would not truly have a 6.4 image anyway.
2. Shipping minor releases exposes users to known vulnerabilities such as shellshock, heartbleed, and other others not well known enough to have names. We tag by the major version and update every month to ensure the containers have no known security issues.
3. By the nature of minor version tags, we would not be able to provide any updates for that image that did not automatically move it to the most recent minor tagged version.

Can you outline your use case, why it needs a specific minor tag, etc?

from sig-cloud-instance-images.

Hi Jim,

I also believe the community would benefit from and appreciate having minor releases images. The most important use case is none other than having a repeatable build.

To discuss your (still valid) points:

1. Prior to updating or installing packages, users may have configured yum to use local mirrors pointing to a minor release repository.
2. I speak only for myself, but in some cases I would like to take my own responsibility for this. Also, sometimes you actually need a vulnerable system, if only to experiment with the vulnerability.
3. The important part of the minor release is the binaries as they once were. I had an incredibly hard time finding a suitable CentOS 6.5 image because admittedly I was too stupid to have saved my copy in a proper place, and I could not use CentoOS 6.6 packages, as I needed to simulate an existing environment using local 6.5 mirrors.

In sum: I understand these use cases are not the norm, and you have reasonable motivation. I'm not even sure minor tags are the best answer; maybe there could be an official archive for old images. As davebirch mentioned, a lot of people on CentOS registry page are asking for this, so the tradeoff for CentoOS here is between forcing users onto a more suitable image and the perceived frustration from lacking a (sometimes legitimate) choice.

Could you please reconsider, or maybe help the community find an alternative for this? At least going forward from 7.0?

from sig-cloud-instance-images.

It seems there's quite an overwhelming majority support for this. With the next monthly update, I'll add a 6.6 stock image, as well as a 7.0.1406 stock image. Since this will be built just slightly after Christmas, consider it my present to the community. From that point forward, minor update images will be available for the initial release only. The 6, 7, and 'latest' tags will still continue to point to the rolling releases. Fair?

I also reserve the right to blog angrily about this!

from sig-cloud-instance-images.

From what I can imagine, going from an initial release to any minor release using local mirrors should never be a problem. Given you seem to be handling this on your own, I'd say it's more than fair.

Also, pointing latest at the rolling release is ideal. I'm pretty sure everyone would agree with that.

Thanks for the christmas present!!!

from sig-cloud-instance-images.

docker-library/official-images#384

This commit adds short names (centos:6 vs centos:centos6) as well as minor releases. Should be in the docker index soon.

from sig-cloud-instance-images.