[TheDong]

The irresponsible thing is making it so the tag exists, but the organization behind it cannot update it.

Let's take for example the "jenkins/jenkins:latest" image.

Jenkins is notorious for having security updates, so in 2 years, if the latest tag is still there and frozen, it will be an attractive nuisance, causing people to download insecure software...

That's what the parent comment is trying to say. It's irresponsible to leave the image that implies it's "up to date and secure" because it's "latest", but is really insecure, and the organization owning it cannot change anything about that without paying $$. It's basically holding users of the image hostage.

[francislavoie]

You missed his point. He's saying "latest is an anti-pattern". Which is correct. Everyone should be pinning to specific versions or semver to avoid being accidentally upgraded to a release with breaking changes.

Yes, obviously making existing tags immutable is bad. Nobody is disputing that.

[code_biologist]

There are exceptions though. I'm the kind of person that would pin Jenkins to latest even if it is an antipattern. I'm way more concerned about security flaws than a temporary CI breakage. So for me: Everyone should be pinning Jenkins to latest to avoid accidentally staying on a release with security holes.

[rightbyte]

You are not only auto pulling fixes bit also auto pulling new security holes though.

My take on Jenkins with all its plugins is that it need to be properly shielded from external access anyways.

[3np]

You probably want to pin to at least a major tag to avoid auto-pulling breaking changes at any moment but still getting security updates.