[CentOS-devel] registry.centos.org/centos:latest still points to CentOS-7

Fri May 1 10:40:27 UTC 2020
Jan Pazdziora <jpazdziora at redhat.com>

On Fri, May 01, 2020 at 08:28:59AM +0200, Fabian Arrotin wrote:
> On 01/05/2020 00:58, Derek Carter wrote:
> > Shouldn't `registry.centos.org/centos:latest`
> > <http://registry.centos.org/centos:latest`> point to CentOS 8?
> > 
> > That's what https://hub.docker.com/_/centos leads me to believe.
> > 
> > Where is the CentOS registry managed?
> 
> That's indeed a good question as CentOS core team is pushing only to
> DockerHub, but the other team that was in charge of registry.centos.org
> is now silent for months so don't know about its actual status ....

I've reported the issue as

	https://bugs.centos.org/view.php?id=16592

back in October, besides other things I've noticed about the container
images. It got no response so far.

The registry.centos.org/8 image has actually been updated two months
ago so someone with access to that registry is active:

$ podman pull registry.centos.org/centos:8
Trying to pull registry.centos.org/centos:8...
Getting image source signatures
Copying blob 7489b20503c1 [--------------------------------------] 0.0b / 0.0b
Copying config 06883f3563 done  
Writing manifest to image destination
Storing signatures
06883f356370555e47f0dc0f4fbc7141046a806be2930c250f0dc8196fa6e659
$ podman images registry.centos.org/centos:8
REPOSITORY                   TAG   IMAGE ID       CREATED        SIZE
registry.centos.org/centos   8     06883f356370   2 months ago   228 MB

Wouldn't it be good to either include registry.centos.org in the
official processes or decomission it altogether?

What's further interesting is that

	registry.centos.org/centos:7 3fe89940ae92

was updated three years ago, but it's 7.6.1810, unlike

	docker.io/library/centos:7 5e35e350aded

which is five months old, but is 7.7.1908. Having old versions around
can lead to people unknowingly using old software with vulnerabilities.

-- 
Jan Pazdziora
Product Owner, Platform Security Readiness, Red Hat