| It's not clear what happened though. We use immutable tags like "4.2.8-debian-10-r50" which we never overwrite. Then we have "semantic versioned" moving tags, like "4.2.8", "4.2", ... which resolve to the latest image matching that prefix. Moving tags are what they are; I'm personally not a fan; all major popular images have that (https://hub.docker.com/_/golang, https://hub.docker.com/_/python, ...) You can read more about Bitnami tagging scheme at: https://docs.bitnami.com/tutorials/understand-rolling-tags-c... If you want to pin your image you should either use the most specific tag or just use the digest: $ crane digest bitnami/mongodb:4.2
sha256:8650c2d92eea97732eae359a140ee86ee3923a2a19b19443e1dc01ec20d5387d
$ docker run bitnami/mongodb:4.2@sha256:8650c2d92eea97732eae359a140ee86ee3923a2a19b19443e1dc01ec20d5387d
Now, we might have introduced a regression between some version of a container and the next minor version; shit happens; it's hard to tell without more specific information though.> > We're careful to pin versions, and hadn't anticipated someone would re-write history and break published code. > This is exactly the kind of thing that will make me ditch a company forever and never look back. On the other hand, assuming that instead of a misunderstanding, what you saw is actually the image behind an immutable tag such as 4.2.8-debian-10-r50 being replaced, this is a serious security issue; somebody could have hacked docker hub, or crafted a valid certificate for docker hub and MitM'd you, I'd also ditch a company forever and never look back if they honestly don't care about that problem, which I assure you it's not the case. We'd greatly appreciate reporting such cases to security@bitnami.com / security@vmware.com . |