The security team has concerns that docker.io cannot be maintained in jessie.
I asked upstream about the Go version commitment (we cannot rebase to Go 1.4 or later in jessie because it could break user code): <https://groups.google.com/forum/#!topic/docker-dev/BjNmlgifZ5c> (Not sure if this link will work, it obviously requires Javascript. It should point to the docker-dev thread, “Go version requirement”, started on 2015-03-15.) I think the Go version issue has been adequately addressed, but other parts of the thread show that there is no clear plan how to rebase docker.io to a new upstream version once this becomes necessary. Hence our concerns about maintainability. (The rebase question is not entirely theoretical. Upstream has previously acknowledged that “the v1 registry has a flawed design”: <https://news.ycombinator.com/item?id=8789775> The v1 registry protocol is what is implemented in docker.io 1.3.3. Debian does not run its own trusted registry, so our users are fully exposed to these design issues.) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87k2y87p0h....@mid.deneb.enyo.de
