undefined | Better HN

0 pointspmoriarty3y ago0 comments

"somewhat irresponsible for the `latest` tag. A `latest` tag that cannot be updated is ... worse than no `latest` tag"

What's irresponsible is relying on a "latest" tag for updates.

0 comments

TheDong3y ago

The irresponsible thing is making it so the tag exists, but the organization behind it cannot update it.

Let's take for example the "jenkins/jenkins:latest" image.

Jenkins is notorious for having security updates, so in 2 years, if the latest tag is still there and frozen, it will be an attractive nuisance, causing people to download insecure software...

That's what the parent comment is trying to say. It's irresponsible to leave the image that implies it's "up to date and secure" because it's "latest", but is really insecure, and the organization owning it cannot change anything about that without paying $$. It's basically holding users of the image hostage.

francislavoie3y ago

You missed his point. He's saying "latest is an anti-pattern". Which is correct. Everyone should be pinning to specific versions or semver to avoid being accidentally upgraded to a release with breaking changes.

Yes, obviously making existing tags immutable is bad. Nobody is disputing that.

code_biologist3y ago

There are exceptions though. I'm the kind of person that would pin Jenkins to latest even if it is an antipattern. I'm way more concerned about security flaws than a temporary CI breakage. So for me: Everyone should be pinning Jenkins to latest to avoid accidentally staying on a release with security holes.

rightbyte3y ago

You are not only auto pulling fixes bit also auto pulling new security holes though.

My take on Jenkins with all its plugins is that it need to be properly shielded from external access anyways.

3np3y ago

You probably want to pin to at least a major tag to avoid auto-pulling breaking changes at any moment but still getting security updates.

paranoidrobot3y ago

It's not* just `latest` tags, it will also affect any other image tag.

If you've been referencing org/image:tag where tag=major-minor, and gets updated when there's a patch, then that's going to stop getting updated.

Without either the tag being deleted (and thus your pulls failing), or going out to find updates on that container - you may not notice that it's fallen out of date and the image/tag is no longer being updated.

With the entire organisation being removed from Dockerhub, it sounds like there's not even going to be a way for people to say "We've moved off Dockerhub, our images/source/etc is now over here".

You'll just have to search and hope you can find where it's moved to.

nunez3y ago

is it?

sometimes I want a container running the latest version of something. maybe i'm integration testing my stuff against that release to make sure stuff still works. or maybe I'm hoping a bug was fixed and will version pin later.

i agree that production software should version-pin all the things, but latest still has a place.

j / k navigate · click thread line to collapse