[stingraycharles]

> The rate limits were mostly in place to deny corporate CI users access to the Hub free of charge and force them to pay or deploy a mirror.

What I never understood is why they didn’t just properly handle this with mirrors like any package manager does; why is this a problem for docker, but not for yum / apt / etc?

I have to admit that these rate limits have accelerated my migration to alternatives like quay.io

[forty]

By default container images are not signed (there is notary, but it's not commonly used - maybe notary V2 will change that - and I think the signature changes depending on the registry it's hosted on anyway?) which make it inconvenient to mirror.

Now, why are we still producing new package formats without mandatory signatures (containers, npm, cargo, etc) is not really clear to me. I guess everyone must think "those old crazy Unix folks signing their Deb and Rpm must have had their crazy reasons, but we have no reason to do the same" :) a more cynical thinking would say "it makes it inconvenient to mirror things and easier to build a business from the central repository" :)

[afiori]

I believe that adding key handling as a necessary step for npm, docker, and similar registries isn't a good idea.

But it would be easy to sign all packages: if the author has decided not to use signatures the registry adds it's own signature, at any moment the author can choose to start using their own keys in place of the registrie's

[nijave]

The layers have checksums so couldn't you store the metadata centrally and mirror the checksummed blobs?

[forty]

What is rate limited on docker hub is fetching the image manifest, rather than the blobs, so that wouldn't work I think.

https://docs.docker.com/docker-hub/download-rate-limit/#defi...

[slim]

There's also the conspiracy : "it's the CIA who infiltrated docker to get access on every server in the world" ;)

[sam_lowry_]

This is a quite reasonable attack vector for US cyber-offense.

[vocram]

They opposed to add support to private mirrors in the software, probably to retain their monopolistic position

https://github.com/moby/moby/pull/34319

[inyorgroove]

You can setup pull through caches, function basically the same as a mirror of you have pulled an image before.

https://docs.docker.com/registry/recipes/mirror/

[Nullabillity]

Docker is a for-profit company. The question wasn't "how do we ensure that this stays available?" but "how do we make money from this?".

[stingraycharles]

To that I say that Docker is a great example of terrible choices on how to monetize their technology, this being one of them.

[zbentley]

A guess: it takes a long time to get a reliable network of mirrors (mostly spent building relationships with institutions, like universities, with both the bandwidth/infrastructure you need and the willingness to lend it for free), and Docker is quite new.

[dhzhzjsbevs]

Why would anyone give a for product company free stuff? You don't get to have it both ways. It's either open source or it's not and from what I've seen of docker, it's very closed.