[Docker-maint] Removal of docker.io from jessie
Florian Weimer
fw at deneb.enyo.de
Sun Mar 22 20:31:26 UTC 2015
The security team has concerns that docker.io cannot be maintained in
jessie.
I asked upstream about the Go version commitment (we cannot rebase to
Go 1.4 or later in jessie because it could break user code):
<https://groups.google.com/forum/#!topic/docker-dev/BjNmlgifZ5c>
(Not sure if this link will work, it obviously requires Javascript.
It should point to the docker-dev thread, “Go version requirement”,
started on 2015-03-15.)
I think the Go version issue has been adequately addressed, but other
parts of the thread show that there is no clear plan how to rebase
docker.io to a new upstream version once this becomes necessary.
Hence our concerns about maintainability.
(The rebase question is not entirely theoretical. Upstream has
previously acknowledged that “the v1 registry has a flawed design”:
<https://news.ycombinator.com/item?id=8789775>
The v1 registry protocol is what is implemented in docker.io 1.3.3.
Debian does not run its own trusted registry, so our users are fully
exposed to these design issues.)
More information about the Docker-maint
mailing list