[CentOS-devel] registry.centos.org/centos:latest still points to CentOS-7

Fri May 1 10:40:27 UTC 2020
Jan Pazdziora <jpazdziora at redhat.com>

On Fri, May 01, 2020 at 08:28:59AM +0200, Fabian Arrotin wrote:
> On 01/05/2020 00:58, Derek Carter wrote:
> > Shouldn't `registry.centos.org/centos:latest`
> > <http://registry.centos.org/centos:latest`> point to CentOS 8?
> > 
> > That's what https://hub.docker.com/_/centos leads me to believe.
> > 
> > Where is the CentOS registry managed?
> That's indeed a good question as CentOS core team is pushing only to
> DockerHub, but the other team that was in charge of registry.centos.org
> is now silent for months so don't know about its actual status ....

I've reported the issue as


back in October, besides other things I've noticed about the container
images. It got no response so far.

The registry.centos.org/8 image has actually been updated two months
ago so someone with access to that registry is active:

$ podman pull registry.centos.org/centos:8
Trying to pull registry.centos.org/centos:8...
Getting image source signatures
Copying blob 7489b20503c1 [--------------------------------------] 0.0b / 0.0b
Copying config 06883f3563 done  
Writing manifest to image destination
Storing signatures
$ podman images registry.centos.org/centos:8
REPOSITORY                   TAG   IMAGE ID       CREATED        SIZE
registry.centos.org/centos   8     06883f356370   2 months ago   228 MB

Wouldn't it be good to either include registry.centos.org in the
official processes or decomission it altogether?

What's further interesting is that

	registry.centos.org/centos:7 3fe89940ae92

was updated three years ago, but it's 7.6.1810, unlike

	docker.io/library/centos:7 5e35e350aded

which is five months old, but is 7.7.1908. Having old versions around
can lead to people unknowingly using old software with vulnerabilities.

Jan Pazdziora
Product Owner, Platform Security Readiness, Red Hat