Node Docker image broken(github.com) |
Node Docker image broken(github.com) |
We always lock down to specific versions, but we also use a self hosted docker mirror to cache everything anyway.
There's no problem here.
Edit:
I see they were overwriting current tags.... well that’s even worse
Overwriting tags should honestly not be possible, ever. Node / NPM did that (I think) with one of their versions too. Or was it a npm package?
npm did away with `publish -f` (which would allow that) 4 years ago [1].
[1] http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f
How do you propose to withdraw a release if it’s broken/contains secret keys/etc.? Delete the image itself and leave the tag dangling?
Instead, what they are saying is that you should 1) use a specific version, and 2) host that version in a location you control. This way, updates don't impact your build just because you clamp to the latest (which is a moving target). Also, if they happen to rerelease a tag which worked for a previous build you made and now doesn't, you are still pulling in the same thing.
Basically, if you depend on something, host it yourself. Otherwise, you are asking to be bit by this.
I certainly don't see any unit tests as part of the commit that triggered this issue
(Yes, even, or perhaps especially, command line commands should be tested, somehow.)
But they mean: images can be removed, but you should not be able to publish 2 different images with the same tag. Then you never know which version of those two you got.
Also, consider “secrets” in the “Personally Identifiable Information” sense, or the “confidential information shared to you by a third party” sense. If these are published, someone might see them; but the longer they stay published, the more people might see them, so you have an obligation to remove them.
Also, re: reusing a tag, what about having already announced a release version number, and tagging the release with it, only to find out the release is broken? It’s kind of problematic to have to bump the version again when the previous version didn’t even go out to anyone.
I would propose a slightly more relaxed rule: you shouldn’t be able to erase/overwrite a tag once there exist other tags in the repo with creation or signing timestamps newer than those of the targeted tag. So you can overwrite something you just created, but not something that’s “history.”
(An alternative to this would be if tags had nicknames or “object versions”, like in an S3 bucket. If you could have a v1.0.0 “tag” that first pointed to a static v1.0.0+1 ref, and then to a v1.0.0+2 ref, where clients don’t see the static ref tags but can still check them out using some special syntax in combination with the visible tag—and where you can revoke a static ref, but not overwrite it—that’d probably make everyone happy.)
I don’t see how this is implied or required by what the GP said. Lockfiles exist; docker-image and OS package hash-refs exist. Heck, nix exists. Getting what you expected to get is a solved problem, and does not require “host[ing] it yourself.”
Now, availability of your deployment might require hosting it yourself. (Though more often your availability figures will be far worse than those of Docker Hub or launchpad.net.)
I think availability is exactly what dozzie was getting at by specifying 'production'.
You want your production systems to be robust, not reliable at the whims of half a dozen different ecosystems all with different policies, procedures, humans, support agreements, etc. (This is without even touching on infrastructure availability.)