On Mon, Jul 20, 2015 at 1:46 PM, Przemek Klosowski <przemek.klosowski@xxxxxxxx> wrote: > On 07/20/2015 02:13 PM, Dennis Gilmore wrote: > > On Monday, July 20, 2015 01:00:34 PM Josh Boyer wrote: > > On Mon, Jul 20, 2015 at 12:39 PM, Adam Miller > > <maxamillion@xxxxxxxxxxxxxxxxx> wrote: > > There was an issue ticket filed against the Fedora Docker Base > Images[0] github repo requesting that older End-Of-Life'd (EOL'd) > Fedora releases be made available as docker images[1] ... > > Even if this is positioned as "archival" or "research", I think > providing these after EOL is simply going to lead to further use of an > EOL Fedora. That is essentially setting up those users for security > exploits and a poor user experience when none of their bugs will be > fixed. > > I agree with Josh 100% here. we should not enable people to run unsupported > software. > > And there's the rub---containers are about creating isolated environments > for a specific integration purpose. > Unfortunately, updating and patching is at cross purposes to that, so we > have this creative tension :). > > Modern package-based systems like Fedora achieved a practical "patch early > and often" setup with responsive security posture, but they are subject to > creeping subsystem incompatibilities. Containers deliver integrated systems > that address very well the initial requirements, but I haven't seen a good > story on how they respond to dynamical security demands. So far their track > record is not so good ( "over 30% of official images in Docker Hub contain > high priority security vulnerabilities", > http://www.infoq.com/news/2015/05/Docker-Image-Vulnerabilities ). > > I am really curious how will this play out. I don't really want to get too far down the road of the philosophy behind containerized environments versus "traditional" but on the topic of security in container images, this is something that is being worked on and one example of that is image-scanner[0]. I'm mostly interested in the general consensus behind if we should make an effort to ship previously EOL'd Fedora releases. If you were aiming to make an argument for or against it then my apologies and I would like to request clarification because I misunderstood and am unsure if you were for or against. -AdamM [0] - https://github.com/baude/image-scanner > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
