[mc4ndr3]

Imagine if everyone actually did this. Then we would have a myriad of base images hiding even more malware than we do currently.

Not to mention vertically integrating the entire Docker layer set defeats the whole point of using Docker in the first place.

[tehbeard]

That's.... I don't know how you even arrived at that idea of that being what happens? Are you imagining some kludged together perl script to hackily save the tarballs, written by someone who is then immediately let go?

What they're suggesting is basically setting up a cache for it locally in-between them and the "main repo" and ensuring the cache doesn't delete after x days and/or keep backups of the images they depend on.

If the package disappears, or the main repo falls over (cough github, cough), your devs, CI & prod aren't sat twiddling thumbs unable to work...

and if the package is nuked off the planet? You've got some time then to find an alternate / see where they move to.

[aprdm]

No, you're wrong. Everyone who wants to stay in business and makes money actually does it. Has been my experience in all big companies, it's a business continuity problem /not to do it/. You can and should run security in the vendored images.

[chaxor]

What are you talking about? Malware and spyware is just as likely (if not very much *more* likely - depending on the definition of malware or spyware*) to be in corporate sponsored software than it is in foss software, and that idea extends to software distribution.

I would expect the security and quality of images in a decentralized system to be far superior to any centralized system spun up by some for profit entity.

* malware and spyware could be defined here as software that allows remote keylogging, camera activation, installation of any executables, etc - i.e. root access - which is precisely what most corporate entities make software to do (e.g. "security solutions" that you have to install on your work computers). This is also most web services which are 90% tracking with an occasional desired application or feature these days.

[twblalock]

I've never worked somewhere that didn't have an internal Artifactory with copies of everything.

Not doing that is unusual, and actually less secure. Do you think it's sane or secure for all of your builds to depend on downloading packages from the public internet?

[wlesieutre]

They're internal mirrors of public images, if there's something in your infrastructure installing malware on them you've got bigger problems