Hosting End-Of-Life Fedora Base images?

Adam Miller maxamillion at fedoraproject.org
Mon Jul 20 18:52:23 UTC 2015 

On Mon, Jul 20, 2015 at 1:46 PM, Przemek Klosowski
<przemek.klosowski at nist.gov> wrote:
> On 07/20/2015 02:13 PM, Dennis Gilmore wrote:
>
> On Monday, July 20, 2015 01:00:34 PM Josh Boyer wrote:
>
> On Mon, Jul 20, 2015 at 12:39 PM, Adam Miller
>
> <maxamillion at fedoraproject.org> wrote:
>
> There was an issue ticket filed against the Fedora Docker Base
> Images[0] github repo requesting that older End-Of-Life'd (EOL'd)
> Fedora releases be made available as docker images[1] ...
>
> Even if this is positioned as "archival" or "research", I think
> providing these after EOL is simply going to lead to further use of an
> EOL Fedora.  That is essentially setting up those users for security
> exploits and a poor user experience when none of their bugs will be
> fixed.
>
> I agree with Josh 100% here. we should not enable people to run unsupported
> software.
>
> And there's the rub---containers are about creating isolated environments
> for a specific integration purpose.
> Unfortunately, updating and patching is at cross purposes to that, so we
> have this creative tension :).
>
> Modern package-based systems like Fedora achieved a practical "patch early
> and often" setup with responsive security posture, but they are subject to
> creeping subsystem incompatibilities. Containers deliver integrated systems
> that address very well the initial requirements, but I haven't seen a good
> story on how they respond to dynamical security demands. So far their track
> record is not so good ( "over 30% of official images in Docker Hub contain
> high priority security vulnerabilities",
> http://www.infoq.com/news/2015/05/Docker-Image-Vulnerabilities ).
>
> I am really curious how will this play out.

I don't really want to get too far down the road of the philosophy
behind containerized environments versus "traditional" but on the
topic of security in container images, this is something that is being
worked on and one example of that is image-scanner[0].

I'm mostly interested in the general consensus behind if we should
make an effort to ship previously EOL'd Fedora releases. If you were
aiming to make an argument for or against it then my apologies and I
would like to request clarification because I misunderstood and am
unsure if you were for or against.

-AdamM

[0] - https://github.com/baude/image-scanner

>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list