Hi Jeen,
It _might_ be useful to keep some older versions on dockerhub to quickly check if an issue is a regression
(then again, we might just use the SDK for that… so I wouldn’t mind just keeping the latest version and delete the rest)
As for automated scanning, it would be great if Eclipse Foundation would provide e.g. Snyk.io subscription,
but if I recall correctly hub.docker is not considered to be core infrastructure by Eclipse …
(rather an extra service due to popular demand)
Best regards
Bart
From: rdf4j-dev <rdf4j-dev-bounces@xxxxxxxxxxx>
On Behalf Of Jeen Broekstra
Sent: donderdag 17 november 2022 21:39
To: rdf4j developer discussions <rdf4j-dev@xxxxxxxxxxx>
Subject: [rdf4j-dev] removing old docker images from dockerhub / vulnerability scanning
Currently, we have docker images for about 20 versions of RDF4J published to Dockerhub (see https://hub.docker.com/repository/docker/eclipse/rdf4j-workbench).
However, we tend not to refresh those images, meaning that any security fixes that get published for the base images we rely on do not get pushed. As a result, most of these older version are unsafe to use.
I can easily go in manually and just remove all images other than latest and 4.2.1, but can we think of any reasons to perhaps keep some older tagged versions around? If we do, we'll need to come up with a procedure to refresh those images
periodically, and/or a way to scan them so we're aware of potential vulnerabilities affecting them.