Docker Hub and the aging population
Liz Rice
101

Can you re-run the first chart, grab the first date that every still existing repo was created, and therefore derive the total existing repos at the time that each repo was updated. Then average that for the whole month. 
I suspect that the resulting update fraction will remain fairly flat except for Oct and Nov. It would also be interesting to see the growth curve overall plotted.

I have a new itch for you to scratch… We talked about getting useful data on repos… so….

Developing on what you wrote about vulnerabilities above, from this result for Alpine:

I need to have a list of all my repos that have a direct or indirect dependency on that repo. I want to know if there is a newer version of indirect repos that does not have the vulnerability, and I want a little table like this

repo name | risk from, repo name | suggested new dependency | github pushed | image rebuilt | fixed

where each row is one of my affected repos.

This will help me visit my source, pin FROM to suggested new dependency (without using :latest) run my tests locally, push to github (table updates automagically), then autorebuild happens (table updates automagically), then I check the ‘fixed’ column when I’m happy.

It may take a day or two for all the impacts to be fixed, so it would be nice to have that table available in my account for a while, probably extending as new vulnerabilities emerge, and probably in a shared project space for the whole team.

The github_pushed column can be derived from hub.docker, IF the repo is autobuilt. If not, the image does not know where it came from. I use Codeship to run tests on images that it builds for me, before pushing to the registry. This keeps my registry clean.

Bonus Points

I have repos that have multiple Dockerfiles (for example an ELK stack bundle that has es, kibana, logstash, and now filebeat). There is no source registry information at Docker Hub. It would be great if the tool would introspect my repo, find all the relevant FROMs and make sure I update all the necessary ones.

Theres a lot of detail to work out here, but there’s a lot of value in reducing wasted rebuilds, and that frustration-time when you are trying to work out in this multidimensional space which step you missed, when an update does not work through.

Finally, I want Codeship to provide a summary dashboard of the state of all my Projects. Ideally, they would have a dashboard that integrated a lot of the above features for me. IWHMB.

Like what you read? Give Russ Ferriday a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.