Hacker News new | ask | show | jobs
by john-shaffer 2131 days ago
There are lots of random downvotes for no real reason. Sometimes perfectly ordinary posts are dead. I try to upvote gray posts if they're not worthless.

That said, my take (and that of siblings) is that I'm much better off building my own containers than serving as unpaid Q&A for Bitnami. It would be smart to use containers built by people more expert than I am. Containers that are broken by default do not meet that criteria. So, "reach out to community support" is not helpful to people that have already decided to ditch Bitnami.

> We're careful to pin versions, and hadn't anticipated someone would re-write history and break published code.

This is exactly the kind of thing that will make me ditch a company forever and never look back.
1 comments
ithkuil 2128 days ago
It's not clear what happened though.

We use immutable tags like "4.2.8-debian-10-r50" which we never overwrite.

Then we have "semantic versioned" moving tags, like "4.2.8", "4.2", ... which resolve to the latest image matching that prefix.

Moving tags are what they are; I'm personally not a fan; all major popular images have that (https://hub.docker.com/_/golang, https://hub.docker.com/_/python, ...)

You can read more about Bitnami tagging scheme at: https://docs.bitnami.com/tutorials/understand-rolling-tags-c...

If you want to pin your image you should either use the most specific tag or just use the digest:

    $ crane digest bitnami/mongodb:4.2
    sha256:8650c2d92eea97732eae359a140ee86ee3923a2a19b19443e1dc01ec20d5387d
    $ docker run bitnami/mongodb:4.2@sha256:8650c2d92eea97732eae359a140ee86ee3923a2a19b19443e1dc01ec20d5387d
Now, we might have introduced a regression between some version of a container and the next minor version; shit happens; it's hard to tell without more specific information though.

> > We're careful to pin versions, and hadn't anticipated someone would re-write history and break published code.

> This is exactly the kind of thing that will make me ditch a company forever and never look back.

On the other hand, assuming that instead of a misunderstanding, what you saw is actually the image behind an immutable tag such as 4.2.8-debian-10-r50 being replaced, this is a serious security issue; somebody could have hacked docker hub, or crafted a valid certificate for docker hub and MitM'd you,

I'd also ditch a company forever and never look back if they honestly don't care about that problem, which I assure you it's not the case.

We'd greatly appreciate reporting such cases to security@bitnami.com / security@vmware.com .

link