[mikesir87]

(from Docker DevRel team)

> Given these statements directly contradict each other

Actually... they aren't contradictory. The organization data will be retained for 30 days and is subject to deletion. That data includes the teams, memberships, etc. But, it wasn't clear what we were going to do about the images. Keeping the public images is important as many other images build on top of them.

> It feels like they changed the actual strategy

We recognize it might feel that way, so apologies. But, that's part of where we are recognize it wasn't clear the technical details... we didn't talk at all about the images. After the feedback, we recognized this, so wanted to make that clear.

[terom]

If you are deleting the organizational data and effectively archiving [1] all the images, keeping only the option for public images to be pulled but not updated... then how will affected maintainers be able to delete their now out of date public images after the 30 day cut-off? You will have to retain enough of the organization data to allow that to happen.

Keeping the public images available in an archived state is okay for specific image references, but questionable for specific image tags and somewhat irresponsible for the `latest` tag. A `latest` tag that cannot be updated is ... worse than no `latest` tag.

Responsible maintainers that are unable to apply for open-source status or otherwise sponsor their usage of organization public repos should be advised to delete their public repos.

Responsible users of public images on Docker Hub need to have a way to determine which images will be affected, and which will continue to be maintained. Archiving the public repos gives an extended grace period, but users will still need to be prepared to notice if they end up using a now unmaintained, archived repo and migrate to alternative image sources.

[1] https://news.ycombinator.com/item?id=35188691

[pmoriarty]

"somewhat irresponsible for the `latest` tag. A `latest` tag that cannot be updated is ... worse than no `latest` tag"

What's irresponsible is relying on a "latest" tag for updates.

[TheDong]

The irresponsible thing is making it so the tag exists, but the organization behind it cannot update it.

Let's take for example the "jenkins/jenkins:latest" image.

Jenkins is notorious for having security updates, so in 2 years, if the latest tag is still there and frozen, it will be an attractive nuisance, causing people to download insecure software...

That's what the parent comment is trying to say. It's irresponsible to leave the image that implies it's "up to date and secure" because it's "latest", but is really insecure, and the organization owning it cannot change anything about that without paying $$. It's basically holding users of the image hostage.

[francislavoie]

You missed his point. He's saying "latest is an anti-pattern". Which is correct. Everyone should be pinning to specific versions or semver to avoid being accidentally upgraded to a release with breaking changes.

Yes, obviously making existing tags immutable is bad. Nobody is disputing that.

[code_biologist]

There are exceptions though. I'm the kind of person that would pin Jenkins to latest even if it is an antipattern. I'm way more concerned about security flaws than a temporary CI breakage. So for me: Everyone should be pinning Jenkins to latest to avoid accidentally staying on a release with security holes.

[rightbyte]

You are not only auto pulling fixes bit also auto pulling new security holes though.

My take on Jenkins with all its plugins is that it need to be properly shielded from external access anyways.

[3np]

You probably want to pin to at least a major tag to avoid auto-pulling breaking changes at any moment but still getting security updates.

[paranoidrobot]

It's not* just `latest` tags, it will also affect any other image tag.

If you've been referencing org/image:tag where tag=major-minor, and gets updated when there's a patch, then that's going to stop getting updated.

Without either the tag being deleted (and thus your pulls failing), or going out to find updates on that container - you may not notice that it's fallen out of date and the image/tag is no longer being updated.

With the entire organisation being removed from Dockerhub, it sounds like there's not even going to be a way for people to say "We've moved off Dockerhub, our images/source/etc is now over here".

You'll just have to search and hope you can find where it's moved to.

[nunez]

is it?

sometimes I want a container running the latest version of something. maybe i'm integration testing my stuff against that release to make sure stuff still works. or maybe I'm hoping a bug was fixed and will version pin later.

i agree that production software should version-pin all the things, but latest still has a place.

[vertis]

Deleting 'organization data' absolutely read that they would delete everything. Changing direction and back pedaling with a non-apology is borderline insulting.

I understand the need to make money as a company, but it really is biting the hand that fed messing with open source maintainers

[pgwhalen]

I have no horse in this race, but fwiw, I can see how this mistake would be made honestly. Organization data could be easily refer to just the metadata of the organization, and depending on how the product is structured[1], could feel quite different from public images.

[1] Disclaimer: I don't know how the product is structured.

[nikolay]

They really think we're idiots!

[brianwawok]

Marketing people try to explain away mistakes with doublespeak. Isn’t it grand? They keep digging deeper at this point.

[jrumbut]

"Actually" is not a great word to use in the context of an apology.

[bombcar]

We have learned that public images are NOT organization data!

[golem14]

With the organization data gone, will there be a way to update the retained images, like security fixes etc? If not, then this could become very dangerous.

[mbreese]

Really, if they delete the org data and images can’t be updated, it might just be better to delete them all just to avoid these inevitable issues (maybe with a longer delay). Just rip the band-aid off and be done with it.

[goodpoint]

Relying on a free service for important work? Maybe they are right.

[dns_snek]

Silly us, I suppose we should stop relying on APT/RPM/what-have-you Linux package mirrors, NPM, NuGet, PyPi, Hex, RubyGems, Crates, ... too.

[goodpoint]

No. There's a huge difference between a volunteer driven organization and a for-profit company.

Their goals are completely different. The latter is not there to give you services. It's there to maximize shareholder value.

It's sad to see that HN can't even tell the difference anymore.

[dns_snek]

Neither npm nor NuGet are volunteer driven organizations. npm is owned by Github, NuGet is owned by Microsoft, and I'm sure that there are dozens of other examples behind many key pieces of free dev&ops infrastructure that are owned by for-profit companies.

Are they allowed to do it? Of course! Are we allowed them to call them out on their bait & switch tactics? Of course, what else are we supposed to do?

Just because something is common, like building a user base based on implicit promises and then pulling the rug once the service reaches critical mass, doesn't mean it should be accepted and normalized.

[nikolay]

We all rely on many free services and code. And, by the way, I'm a paying customer - I don't use their services but do this to support the pioneer!

[Lazare]

I understand you are in a difficult position, but this is a bit absurd.

> During that period you will maintain access to any of your public images.

The only reason that sentence would be in there is if after that period you would lose access to the public images! And from Merriam-Webster, "access", verb, definition two: "to open or load (a computer file, an Internet site, etc.) a file that can be accessed by many users at the same time".

> it wasn't clear what we were going to do about the images.

No, it was quite clear; after the 30 day period we would not be able to pull the images. That's what the announcement said. It was not ambiguous. That may not have been the policy or what was intended to be announced, but the issue here isn't a lack of clarity.

(Also, letting the images stay accessible but disallowing any changes is only marginally better than just removing them, so the current policy - whether or not it's the same as the originally announced policy - is still terrible.)

[derefr]

I’m guessing they mean “write access.”

[Lazare]

Write access is a subset of all access, so I don't think we can really argue that the plain meaning of the original statement was about removing write access.

But yes, a missing word is certainly a plausible explanation for how they issued a statement that meant the opposite of what they apparently intended.

[tremon]

But the original statement did not say all access, it merely said access:

> During that period you will maintain access to any of your public images

Assuming that the you in that sentence is the organization and not the general public (given the use of your organization earlier in the paragraph), the logical interpretation is that they meant write access here, and not all access -- since read access is not limited in any way to the you in that sentence.

Yes, I agree the original messaging was terrible. But claiming that the original can only have meant all access is not consistent with the wording of the announcement.

[bragr]

>Actually... they aren't contradictory.

They are. Your intent may not have been contradictory, but the messages received by everyone else were contradictory. You should own that if you are serious about doing better. Your intent doesn't really matter in these situations.

[travisjungroth]

Yeah, really weird that after an apology announcement they’re still defending the original message at all. Not too hard to say “Yes, those messages contradict each other. The first one did not communicate our actual plan. The second message is a correction and clarification.”

[chasil]

It is important to understand that most corporations do not apologize, ever, unless there is a direct threat to cash flow.

This behavior is now demonstrated, it is the desired relationship, and it will be the baseline, all protestations aside.

The apology is meaningless. If this is not what you want, then take steps to limit the damage done to you, and do it now.

[HelloNurse]

More cynically, the intent might be blaming image maintainers: since obsolete images that appear current are a problem, responsible maintainers will delete them before losing access; then Docker will be able to tell inconvenienced end users that the maintainers autonomously and unnecessarily decided to remove their images.

[angelbar]

This...

[xboxnolifes]

That's.... why they are saying it was poor communication.

[throwwwaway69]

They did in the OP link. To say now in comments "It's not contradictory" is not owning up to it being bad communication

[burnished]

What? That does not follow at all.

[patmcc]

>>>During that period you will maintain access to any of your public images.

What did this mean in that case? That the images will continue to exist but the maintainers cannot update them? They'll just become orphaned?

[mikesir87]

(from the Docker DevRel team)

"During that period" refers to the 30-day period. During that time, the images are accessible. After the 30-day period, they will still be pull-able, but not able to be updated.

[yencabulator]

So, any public image where the maintainer doesn't jump through hoops gets frozen in time, unable to be updated, and starts accumulating CVEs? This sounds worse than deleting the image.

Any smart FOSS maintainer will find alternate hosting...

[setr]

> Any smart FOSS maintainer will find alternate hosting...

I think that’s obviously the point of the whole exercise — pony up or leave. They’re just doing it in an annoying manner

[eyegor]

Can't believe how soon this announcement came after the redhat "we're killing centos support now, best of luck". It's pretty clear how this industry reacts to major support changes with no heads up.

[terom]

This is an important implication that needs to be brought up in the FAQ explicitly.

In other words, the public repos are being archived. If I was a maintainer responsible for providing up-to-date and secure images, then I think it would indeed by my duty to delete them, if I am no longer able to update them.

[ok_dad]

> If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply.

Specifically (emphasis mine):

> During that time, you will maintain access to any images in your public repositories

So, the logical conclusion, which literally everyone else on HN had, was that after that time you will lose access to images in your public repositories; access meaning "we can get to the image" in this context, because that's what people f-n care about.

Not to mention the other part, about how Docker will still have images available for pull that can't be changed, for which there is no way to "forward" user pulls elsewhere if the developer chose to not pay the fee; so in affect you're capturing their user base with old software and almost no way to know that.

"DevRel" at Docker failed this week. Just own up to it, take the hit, and don't be evasive. Evasiveness is shady and no one trusts that bullshit.

[ilyt]

Delete them.

Keeping them read only is literally the worst solution. Old images that can't be updated and accrue security flaws, all while uninformed users see address still work and assume nothing needs to be changed.

Your corporation picked literally worst way to do it.

[bruce511]

>> Your corporation picked literally worst way to do it.

I disagree. The worst way would be to make a blanket decision for all projects on their behalf.

This way they let the project maintainer decide.

For projects that don't get updated, it's better to leave them where they are.

For projects that are changing the maintainers can choose to delete (or move to a paid / OSS plan).

Choice is good, and giving that choice to maintainers is good.

The final act if goodness (and I'm not clear yet) is whether maintainers will be able to delete an image at some point in the future. Like say a year from now. Possibly by creating a paid account, and "reclaiming" that image.

Personally I agree that your advice to delete them may be the best option for most maintainers who have decided to leave. And they currently have the ability to do that.

Hence my assertion that your statement is incorrect.

[zamnos]

You didn't address the issue of security. The problem with leaving it up to the projects is that projects won't necessarily respond, and we don't want the foundations of the next Mantis 26M rps botnet to get its start from PULL insecure:latest.

[bragr]

>accessible

>pull-able

To any reasonable average person, these mean the same thing.

[diffeomorphism]

Absolutely not. For users, yes. For the person uploading/modifying the image, hell no.

[foobiekr]

So you’re going to continue to host images that have severe remote code execution exploits?

With no way for the person who posted them to ask people not to use them?

[ilyt]

It appears that even after nonapology they still don't get the fucking problem.

The whole thing only needs docker infrastructure getting hacked because it used some of the now-orphaned containers to complete the shitshiw

[bigiain]

I wonder what a court would think about who'd be legally liable there?

BigCo or GovDepartment gets popped via a known exploit against a fixed bug in an OSS project, but GitHub has prohibited the project from updating the explicable image they host without paying a ransom of $420/year?

[Twirrim]

> So you’re going to continue to host images that have severe remote code execution exploits?

That seems an great way to take some very significant reputation hits.

[2h]

> Actually... they aren't contradictory.

you're on the Docker DevRel team, why are you talking like this? why do you feel the need to be confrontational? not a good look.

[zamnos]

Somewhere in Silicon Valley are the people who were passed over for this job, yelling at their phones. Maybe they should get a call back.

[HDThoreaun]

Communication isn't about you meant, it's about what the person you're communicating to thought you meant.

[hgsgm]

Can the images be updated after the organizational data is gone? If not, is there a security concern, since vulns are likely to be discovery in future?

[steponlego]

Face it, you're on heavy damage control and it just seems... untrustworthy.

[ilyt]

sooooooooooooooooo orgs that didn't want to upgrade are still left with users pinned to old address of the image with no option to push security updates?