On 12/31/19 5:49 PM, Marc Boorshtein wrote: >> And this is open for discussion… my view, to be ‘official’, needs to be >> under the ‘apachedirectory’ repository, i.e. ASF supported. >> > > I honestly find this isn't that important as long as you are getting the > container from a reputable source. I generally avoid personal repos but if > a repo is from a company with experience in the space and some kind of > support behind it (even if its just public open source) you're probably in > good shape. Some things to look for: > > 1. Company supported - even if its just open source > 2. How often is it updated? How often do you patch your VMs? You want > something that has a similar caedence. > 3. Is the dockerfile opensource? You should know what code is running in > your environment. > 4. Is the build reproducible? Can you recreate the container with just > the dockerfile? > 5. Is the container running as root? Too many "official" containers do > this. > > This is on top of doing your own scans to look for issues. > > As an example of where I skip "official" builds is if red hat provides a > container I go with that because they keep them up to date and don't run as > root.
Well, those companies could join the Open Source project and contribute their expertise and make the official/convenient Docker image better :-) >> More questions, how much work is this to maintain? Does it need to >> updated once per release (apacheds), or more often? What else… should the >> image be signed? >> > > Containers should be updated at least on a periodic cadence and better to > be triggered by an event such as the from container being updated. We scan > our containers using anchore.io and whenever a package is released to > address a known cve, we rebuild. +1 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org