openjdk-docker icon indicating copy to clipboard operation
openjdk-docker copied to clipboard
verified publisher icon AdoptOpenJDK

Please remove dockerhub Images you don't update regularly

Open hashworks opened this issue 4 years ago • 3 comments

In your dockerhub account are multiple image repositories that are over a year old and suffer from multiple security issues. Some of them have over 500k downloads and are still in use. Please remove them.

  • https://hub.docker.com/r/adoptopenjdk/openjdk13-openj9
  • https://hub.docker.com/r/adoptopenjdk/openjdk13
  • https://hub.docker.com/r/adoptopenjdk/openjdk12-openj9
  • https://hub.docker.com/r/adoptopenjdk/openjdk12
  • https://hub.docker.com/r/adoptopenjdk/openjdk12
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk13-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk13
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk11-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk11
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk8-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk8-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk8
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk12-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk12
  • https://hub.docker.com/r/adoptopenjdk/openjdk10-openj9
  • https://hub.docker.com/r/adoptopenjdk/openjdk10
  • https://hub.docker.com/r/adoptopenjdk/openjdk9-openj9
  • https://hub.docker.com/r/adoptopenjdk/openjdk9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk10-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk10-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk10
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk9-openj9
  • https://hub.docker.com/r/adoptopenjdk/maven-openjdk9

hashworks avatar Apr 30 '21 08:04 hashworks

We won't be removing old images (as that will break users) but we'll investigate sending signals about the obsoletion of these.

karianna avatar May 05 '21 13:05 karianna

@hashworks removing them will cause many builds over many places to fails, as they won't be able to download it. So IMO adoptium should never remove any valid image from dockerhub.

Imagine that you have dockerfile using one of those for 5 years and suddently it stops working, I guess you won't be happy as it will force you to search mirror or to do ad-hoc migrations (which can not be an easy one)

grzesuav avatar Jun 03 '21 08:06 grzesuav

On my end I only noticed that people use those old images because builds where failing when the outdated libraries where unable to connect to our TLS endpoints.

Failing builds may be the only thing that causes people to use updated images instead of the same one for five years. What is better, a failed build that can be fixed in no time or run into security issues or bugs caused by an unmaintained image? I see no other way to reach out to those people than to remove them.

If you really want to keep those images you have to maintain them (add security patches and the like) IMHO.

hashworks avatar Jun 03 '21 13:06 hashworks