You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by "Jenkins, Rodney J (Rod)" <JE...@nationwide.com> on 2021/07/09 18:35:06 UTC
Docker image change requests
All,
There are two requests and one issue at https://github.com/tomitribe/docker-tomee/issues
The issue needs to be resolved sooner rather than later. The base Debian image as a vulnerability in it, we need to rebuild it. I will get that going. However, I am concerned with the key server issues. I would like a discussion on moving to the sha512 checksums.
Adding additional tags was requested back in 2017. I like this idea. For example we would point the “plus” tag at the latest 8 version on the newest jre. Additional tagging is something we should be doing.
Cleanup of the bin directory is an easy fix. This would make our images a bit smaller, which users like.
I am happy to make these changes, or have a discussion.
Please advise,
Rod.
Re: Docker image change requests
Posted by "Zowalla, Richard" <ri...@hs-heilbronn.de>.
Hi,
I think as long as we are using the official ASF "dist.apache.org" to
obtain the release distributions, it is fine to only check against the
SHA512 sums (file integrity) imho.
Regarding the PGP checks (author / release manager integrity)
Might be beneficial to take a look at
https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification
and use a HKPS keyserver or a similar approach for building our docker
images with PGP checks. Wdyt?
I think it would be nice to have both checks.
Gruß
Richard
Am Mittwoch, den 14.07.2021, 14:39 +0000 schrieb Jenkins, Rodney J
(Rod):
> Jon,
>
> Here is a link with more info on the key server issues:
> https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
>
> I was able to reproduce these. I have not been able to reliably
> built an image in the last couple weeks.
>
> There is another issue blocking TomEE 9.0. It looks like there is a
> missing key fingerprint from David’s new keys he uploaded. See the
> email on this list on 5/29.
>
> In my opinion, it is simpler to use the SHA and seems to be more
> reliable.
>
> I have a PR request out there to remove the windows files. David did
> give me access to approve that, but I am assuming that we would
> prefer someone else to approve it.
>
> I will start on a list of new tags to add to the images.
>
> Thanks,
> Rod.
>
>
> From: Jonathan Gallimore <jo...@gmail.com>
> Date: Wednesday, July 14, 2021 at 5:07 AM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email.
> Use CAUTION before clicking on links, opening attachments, or
> responding. (Sender:
> dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
>
> -------------------------------------------------------------------
> -----------
>
>
> Hi Rod,
>
> Can you elaborate on what the keyserver issue is? That sounds like
> the
> immediate blocker.
>
> We publish SHA512 checksums so I'm fine with using them, although a
> GPG
> check is also nice.
>
> I'm a +1 on the additional tags, and removing the .exes from the bin
> directory.
>
> Jon
>
> On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> JENKIR14@nationwide.com> wrote:
>
> > All,
> >
> > There are two requests and one issue at
> > https://github.com/tomitribe/docker-tomee/issues
> >
> > The issue needs to be resolved sooner rather than later. The base
> > Debian
> > image as a vulnerability in it, we need to rebuild it. I will get
> > that
> > going. However, I am concerned with the key server issues. I
> > would like a
> > discussion on moving to the sha512 checksums.
> >
> > Adding additional tags was requested back in 2017. I like this
> > idea. For
> > example we would point the “plus” tag at the latest 8 version on
> > the newest
> > jre. Additional tagging is something we should be doing.
> >
> > Cleanup of the bin directory is an easy fix. This would make our
> > images a
> > bit smaller, which users like.
> >
> > I am happy to make these changes, or have a discussion.
> >
> > Please advise,
> > Rod.
> >
> >
--
Richard Zowalla, M.Sc.
Research Associate, PhD Student | Medical Informatics
Hochschule Heilbronn – University of Applied Sciences
Max-Planck-Str. 39
D-74081 Heilbronn
phone: +49 7131 504 6791 (zur Zeit nicht via Telefon erreichbar)
mail: richard.zowalla@hs-heilbronn.de
web: https://www.mi.hs-heilbronn.de/
Re: Docker image change requests
Posted by Jonathan Gallimore <jo...@gmail.com>.
Fantastic, thank you for the update Rod!
Jon
On Thu, Jul 15, 2021 at 3:28 AM Jenkins, Rodney J (Rod) <
JENKIR14@nationwide.com> wrote:
> All,
>
> All of the Docker images have been rebuild. While I have issues using the
> key servers, it does not appear that the automated build process does not.
> I will look in to this a bit further.
>
> Rod.
>
>
> From: Jenkins, Rodney J (Rod) <JE...@nationwide.com>
> Date: Wednesday, July 14, 2021 at 12:09 PM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28498-JENKIR14=nationwide.com@tomee.apache.org)
>
>
> ------------------------------------------------------------------------------
>
>
> Jon,
>
> I will get started on that. I will move to SHA512 and should be able to
> release 9.0.
>
> Thanks,
> Rod.
>
> From: Jonathan Gallimore <jo...@gmail.com>
> Date: Wednesday, July 14, 2021 at 11:49 AM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28497-JENKIR14=nationwide.com@tomee.apache.org)
>
>
> ------------------------------------------------------------------------------
>
>
> I'm fine with the sha512 change - go for it.
>
>
> Jon
>
> On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), <
> JENKIR14@nationwide.com>
> wrote:
>
> > Jon,
> >
> > Here is a link with more info on the key server issues:
> > https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
> >
> > I was able to reproduce these. I have not been able to reliably built an
> > image in the last couple weeks.
> >
> > There is another issue blocking TomEE 9.0. It looks like there is a
> > missing key fingerprint from David’s new keys he uploaded. See the email
> > on this list on 5/29.
> >
> > In my opinion, it is simpler to use the SHA and seems to be more
> reliable.
> >
> > I have a PR request out there to remove the windows files. David did
> give
> > me access to approve that, but I am assuming that we would prefer someone
> > else to approve it.
> >
> > I will start on a list of new tags to add to the images.
> >
> > Thanks,
> > Rod.
> >
> >
> > From: Jonathan Gallimore <jo...@gmail.com>
> > Date: Wednesday, July 14, 2021 at 5:07 AM
> > To: dev@tomee.apache.org <de...@tomee.apache.org>
> > Subject: [EXTERNAL] Re: Docker image change requests
> > Nationwide Information Security Warning: This is an EXTERNAL email. Use
> > CAUTION before clicking on links, opening attachments, or responding.
> > (Sender: dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> > Hi Rod,
> >
> > Can you elaborate on what the keyserver issue is? That sounds like the
> > immediate blocker.
> >
> > We publish SHA512 checksums so I'm fine with using them, although a GPG
> > check is also nice.
> >
> > I'm a +1 on the additional tags, and removing the .exes from the bin
> > directory.
> >
> > Jon
> >
> > On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> > JENKIR14@nationwide.com> wrote:
> >
> > > All,
> > >
> > > There are two requests and one issue at
> > > https://github.com/tomitribe/docker-tomee/issues
> > >
> > > The issue needs to be resolved sooner rather than later. The base
> Debian
> > > image as a vulnerability in it, we need to rebuild it. I will get that
> > > going. However, I am concerned with the key server issues. I would
> > like a
> > > discussion on moving to the sha512 checksums.
> > >
> > > Adding additional tags was requested back in 2017. I like this idea.
> > For
> > > example we would point the “plus” tag at the latest 8 version on the
> > newest
> > > jre. Additional tagging is something we should be doing.
> > >
> > > Cleanup of the bin directory is an easy fix. This would make our
> images
> > a
> > > bit smaller, which users like.
> > >
> > > I am happy to make these changes, or have a discussion.
> > >
> > > Please advise,
> > > Rod.
> > >
> > >
> >
>
Re: Docker image change requests
Posted by "Jenkins, Rodney J (Rod)" <JE...@nationwide.com>.
All,
All of the Docker images have been rebuild. While I have issues using the key servers, it does not appear that the automated build process does not. I will look in to this a bit further.
Rod.
From: Jenkins, Rodney J (Rod) <JE...@nationwide.com>
Date: Wednesday, July 14, 2021 at 12:09 PM
To: dev@tomee.apache.org <de...@tomee.apache.org>
Subject: [EXTERNAL] Re: Docker image change requests
Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: dev-return-28498-JENKIR14=nationwide.com@tomee.apache.org)
------------------------------------------------------------------------------
Jon,
I will get started on that. I will move to SHA512 and should be able to release 9.0.
Thanks,
Rod.
From: Jonathan Gallimore <jo...@gmail.com>
Date: Wednesday, July 14, 2021 at 11:49 AM
To: dev@tomee.apache.org <de...@tomee.apache.org>
Subject: [EXTERNAL] Re: Docker image change requests
Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: dev-return-28497-JENKIR14=nationwide.com@tomee.apache.org)
------------------------------------------------------------------------------
I'm fine with the sha512 change - go for it.
Jon
On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), <JE...@nationwide.com>
wrote:
> Jon,
>
> Here is a link with more info on the key server issues:
> https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
>
> I was able to reproduce these. I have not been able to reliably built an
> image in the last couple weeks.
>
> There is another issue blocking TomEE 9.0. It looks like there is a
> missing key fingerprint from David’s new keys he uploaded. See the email
> on this list on 5/29.
>
> In my opinion, it is simpler to use the SHA and seems to be more reliable.
>
> I have a PR request out there to remove the windows files. David did give
> me access to approve that, but I am assuming that we would prefer someone
> else to approve it.
>
> I will start on a list of new tags to add to the images.
>
> Thanks,
> Rod.
>
>
> From: Jonathan Gallimore <jo...@gmail.com>
> Date: Wednesday, July 14, 2021 at 5:07 AM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
>
>
> ------------------------------------------------------------------------------
>
>
> Hi Rod,
>
> Can you elaborate on what the keyserver issue is? That sounds like the
> immediate blocker.
>
> We publish SHA512 checksums so I'm fine with using them, although a GPG
> check is also nice.
>
> I'm a +1 on the additional tags, and removing the .exes from the bin
> directory.
>
> Jon
>
> On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> JENKIR14@nationwide.com> wrote:
>
> > All,
> >
> > There are two requests and one issue at
> > https://github.com/tomitribe/docker-tomee/issues
> >
> > The issue needs to be resolved sooner rather than later. The base Debian
> > image as a vulnerability in it, we need to rebuild it. I will get that
> > going. However, I am concerned with the key server issues. I would
> like a
> > discussion on moving to the sha512 checksums.
> >
> > Adding additional tags was requested back in 2017. I like this idea.
> For
> > example we would point the “plus” tag at the latest 8 version on the
> newest
> > jre. Additional tagging is something we should be doing.
> >
> > Cleanup of the bin directory is an easy fix. This would make our images
> a
> > bit smaller, which users like.
> >
> > I am happy to make these changes, or have a discussion.
> >
> > Please advise,
> > Rod.
> >
> >
>
Re: Docker image change requests
Posted by "Jenkins, Rodney J (Rod)" <JE...@nationwide.com>.
Jon,
I will get started on that. I will move to SHA512 and should be able to release 9.0.
Thanks,
Rod.
From: Jonathan Gallimore <jo...@gmail.com>
Date: Wednesday, July 14, 2021 at 11:49 AM
To: dev@tomee.apache.org <de...@tomee.apache.org>
Subject: [EXTERNAL] Re: Docker image change requests
Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: dev-return-28497-JENKIR14=nationwide.com@tomee.apache.org)
------------------------------------------------------------------------------
I'm fine with the sha512 change - go for it.
Jon
On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), <JE...@nationwide.com>
wrote:
> Jon,
>
> Here is a link with more info on the key server issues:
> https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
>
> I was able to reproduce these. I have not been able to reliably built an
> image in the last couple weeks.
>
> There is another issue blocking TomEE 9.0. It looks like there is a
> missing key fingerprint from David’s new keys he uploaded. See the email
> on this list on 5/29.
>
> In my opinion, it is simpler to use the SHA and seems to be more reliable.
>
> I have a PR request out there to remove the windows files. David did give
> me access to approve that, but I am assuming that we would prefer someone
> else to approve it.
>
> I will start on a list of new tags to add to the images.
>
> Thanks,
> Rod.
>
>
> From: Jonathan Gallimore <jo...@gmail.com>
> Date: Wednesday, July 14, 2021 at 5:07 AM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
>
>
> ------------------------------------------------------------------------------
>
>
> Hi Rod,
>
> Can you elaborate on what the keyserver issue is? That sounds like the
> immediate blocker.
>
> We publish SHA512 checksums so I'm fine with using them, although a GPG
> check is also nice.
>
> I'm a +1 on the additional tags, and removing the .exes from the bin
> directory.
>
> Jon
>
> On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> JENKIR14@nationwide.com> wrote:
>
> > All,
> >
> > There are two requests and one issue at
> > https://github.com/tomitribe/docker-tomee/issues
> >
> > The issue needs to be resolved sooner rather than later. The base Debian
> > image as a vulnerability in it, we need to rebuild it. I will get that
> > going. However, I am concerned with the key server issues. I would
> like a
> > discussion on moving to the sha512 checksums.
> >
> > Adding additional tags was requested back in 2017. I like this idea.
> For
> > example we would point the “plus” tag at the latest 8 version on the
> newest
> > jre. Additional tagging is something we should be doing.
> >
> > Cleanup of the bin directory is an easy fix. This would make our images
> a
> > bit smaller, which users like.
> >
> > I am happy to make these changes, or have a discussion.
> >
> > Please advise,
> > Rod.
> >
> >
>
Re: Docker image change requests
Posted by Jonathan Gallimore <jo...@gmail.com>.
I'm fine with the sha512 change - go for it.
Jon
On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), <JE...@nationwide.com>
wrote:
> Jon,
>
> Here is a link with more info on the key server issues:
> https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
>
> I was able to reproduce these. I have not been able to reliably built an
> image in the last couple weeks.
>
> There is another issue blocking TomEE 9.0. It looks like there is a
> missing key fingerprint from David’s new keys he uploaded. See the email
> on this list on 5/29.
>
> In my opinion, it is simpler to use the SHA and seems to be more reliable.
>
> I have a PR request out there to remove the windows files. David did give
> me access to approve that, but I am assuming that we would prefer someone
> else to approve it.
>
> I will start on a list of new tags to add to the images.
>
> Thanks,
> Rod.
>
>
> From: Jonathan Gallimore <jo...@gmail.com>
> Date: Wednesday, July 14, 2021 at 5:07 AM
> To: dev@tomee.apache.org <de...@tomee.apache.org>
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
>
>
> ------------------------------------------------------------------------------
>
>
> Hi Rod,
>
> Can you elaborate on what the keyserver issue is? That sounds like the
> immediate blocker.
>
> We publish SHA512 checksums so I'm fine with using them, although a GPG
> check is also nice.
>
> I'm a +1 on the additional tags, and removing the .exes from the bin
> directory.
>
> Jon
>
> On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> JENKIR14@nationwide.com> wrote:
>
> > All,
> >
> > There are two requests and one issue at
> > https://github.com/tomitribe/docker-tomee/issues
> >
> > The issue needs to be resolved sooner rather than later. The base Debian
> > image as a vulnerability in it, we need to rebuild it. I will get that
> > going. However, I am concerned with the key server issues. I would
> like a
> > discussion on moving to the sha512 checksums.
> >
> > Adding additional tags was requested back in 2017. I like this idea.
> For
> > example we would point the “plus” tag at the latest 8 version on the
> newest
> > jre. Additional tagging is something we should be doing.
> >
> > Cleanup of the bin directory is an easy fix. This would make our images
> a
> > bit smaller, which users like.
> >
> > I am happy to make these changes, or have a discussion.
> >
> > Please advise,
> > Rod.
> >
> >
>
Re: Docker image change requests
Posted by "Jenkins, Rodney J (Rod)" <JE...@nationwide.com>.
Jon,
Here is a link with more info on the key server issues:
https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
I was able to reproduce these. I have not been able to reliably built an image in the last couple weeks.
There is another issue blocking TomEE 9.0. It looks like there is a missing key fingerprint from David’s new keys he uploaded. See the email on this list on 5/29.
In my opinion, it is simpler to use the SHA and seems to be more reliable.
I have a PR request out there to remove the windows files. David did give me access to approve that, but I am assuming that we would prefer someone else to approve it.
I will start on a list of new tags to add to the images.
Thanks,
Rod.
From: Jonathan Gallimore <jo...@gmail.com>
Date: Wednesday, July 14, 2021 at 5:07 AM
To: dev@tomee.apache.org <de...@tomee.apache.org>
Subject: [EXTERNAL] Re: Docker image change requests
Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: dev-return-28494-JENKIR14=nationwide.com@tomee.apache.org)
------------------------------------------------------------------------------
Hi Rod,
Can you elaborate on what the keyserver issue is? That sounds like the
immediate blocker.
We publish SHA512 checksums so I'm fine with using them, although a GPG
check is also nice.
I'm a +1 on the additional tags, and removing the .exes from the bin
directory.
Jon
On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
JENKIR14@nationwide.com> wrote:
> All,
>
> There are two requests and one issue at
> https://github.com/tomitribe/docker-tomee/issues
>
> The issue needs to be resolved sooner rather than later. The base Debian
> image as a vulnerability in it, we need to rebuild it. I will get that
> going. However, I am concerned with the key server issues. I would like a
> discussion on moving to the sha512 checksums.
>
> Adding additional tags was requested back in 2017. I like this idea. For
> example we would point the “plus” tag at the latest 8 version on the newest
> jre. Additional tagging is something we should be doing.
>
> Cleanup of the bin directory is an easy fix. This would make our images a
> bit smaller, which users like.
>
> I am happy to make these changes, or have a discussion.
>
> Please advise,
> Rod.
>
>
Re: Docker image change requests
Posted by Jonathan Gallimore <jo...@gmail.com>.
Hi Rod,
Can you elaborate on what the keyserver issue is? That sounds like the
immediate blocker.
We publish SHA512 checksums so I'm fine with using them, although a GPG
check is also nice.
I'm a +1 on the additional tags, and removing the .exes from the bin
directory.
Jon
On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
JENKIR14@nationwide.com> wrote:
> All,
>
> There are two requests and one issue at
> https://github.com/tomitribe/docker-tomee/issues
>
> The issue needs to be resolved sooner rather than later. The base Debian
> image as a vulnerability in it, we need to rebuild it. I will get that
> going. However, I am concerned with the key server issues. I would like a
> discussion on moving to the sha512 checksums.
>
> Adding additional tags was requested back in 2017. I like this idea. For
> example we would point the “plus” tag at the latest 8 version on the newest
> jre. Additional tagging is something we should be doing.
>
> Cleanup of the bin directory is an easy fix. This would make our images a
> bit smaller, which users like.
>
> I am happy to make these changes, or have a discussion.
>
> Please advise,
> Rod.
>
>