Email or username:

Password:

Forgot your password?
daniel:// stenberg://

I argue we (#curl) should NOT pay docker. Not give in to extortion. This might mean that someone else soon suddenly will register our name and can serve whatever image they want there. 5 *billion* pulls indicate there's a user or two that might fall victim for this.

That's on docker, not us.

67 comments
chris@strafpla.net

@bagder Maybe you can pay docker by licensing curl to them?
Oh.

Neal Gompa (ニール・ゴンパ) :fedora:

@bagder Well, at least for podman users, we can ensure an official shortname matches wherever you want to go: github.com/containers/shortnam 😉

And have you looked at where to move the official images for curl yet? I've been using quay.io for my personal images and it's quite nice. 😀

daniel:// stenberg://

@Conan_Kudo we have had discussions already before on how to do this better, but eventually @jimfuller is our main docker image guy and he knows much more about this than I do. I'm mostly just following this a little from afar.

Jim Fuller

@bagder @Conan_Kudo upcoming changes to curl docker will see us distributing image from many other registries

Sly-Little-Fox(xo)

@Conan_Kudo @bagder Quay.io randomly banned my account, but other than that it's good.

P

@bagder what is the likelihood docker itself relies on curl? I would assume 100%…

Toni C. 🎗🔻🍉

@preston and if not Docker itself certainly many important base images @bagder

Edwin Groothuis

@bagder @simonlbn I've gone through two weeks of toots but cannot find the context of this statement...

jackson

@bagder i thought you meant about the fact that without curl, docker things will break. instead, it's much worse. it's kind of like a bait and switch.

either way, both outcomes are bad for the docker registry, so docker might have to make an exception for the popular images (while allowing less popular images to die).

daniel:// stenberg://

@jacksonchen666 yeah, several people have mentioned that maybe docker will block/reserve some names to avoid the worst possible outcomes. I guess we will see...

A* Ulven supports Ukraine

@bagder What's this about? I know about the Docker change, but what do you mean with victim users?

daniel:// stenberg://

@AlgorithmWolf if they delete our account someone else can register that name and offer new images using the existing name. Presumably.

A* Ulven supports Ukraine

@bagder Thank you for explaining. Apparently I didn't know about the recent Docker change indeed blog.alexellis.io/docker-is-de

This is strange, because their pricing page specifically lists this being free for individuals and open source projects? Unlimited repositories? docker.com/pricing/

Usually, when some company pulled off some shitty scheme, GitLab would pick up. Will they pick up this time, considering GitLab has a container registry?

MinDBreaK 🏴‍☠️

@AlgorithmWolf @bagder technically you can already host your images on gitlab and set them public. You can set the pull to public if you want to. Same goes for their package repository.

Jem

@bagder @AlgorithmWolf for what it’s worth, the Docker CTO has been saying they will not be releasing namespaces. Who knows how long that’ll last for though?

Doug

@bagder pretty sure I read on The Other Site that namespaces will be retained so squatting can’t happen.

Anton

@bagder Totally agree with not giving in.
The linked FAQ states that namespaces will not be released: news.ycombinator.com/item?id=3

daniel:// stenberg://

@antondollmaier ah thanks for pointing this out. Then at least that is not an issue.

Fratm :archlinux:

@bagder Funny, I have been asked why I don't like docker.. This bs that they are pulling is 1 example.

Rudolph Bott

@bagder on the one hand I can understand that running such a platform „for free“ is hard. On the other hand they already charge users for using the platform. By also charging the „content providers“ (and hence scaring them away) they will also loose the users in the long run. Why pay if your favourite images are not available any more?

Not to mention all the other issues (e.g. bad actors claiming previously well known account names etc). This seems like giant footgun.

Raph

@bagder non-technical person here. What prevents projects and orgs from moving their images to a repository that is genuinely supportive of open-source? Are there no such repo that offer similar services as Docker?

Shauna GM

@raph @bagder Nothing is stopping projects from moving, but container registries exist in large part to allow other projects to automatically get images from them. Communicating to those projects that the image has moved is very difficult, and there's no evidence that the DockerHub will take the necessary steps to make things easier. I also believe that DockerHub is the default registry used by Docker, exacerbating the problem.

Shauna GM

@raph @bagder Basically: people (and automated scripts) are going to be looking on DockerHub for images that are no longer there. In the best case scenario, this will break a ton of scripts and be a huge hassle for a long time as people slowly update where they're getting images from. In the worst case scenario, you'll have malicious namespace squatting in the deleted accounts. (DockerHub's said they'll keep namespaces safe/reserved but there's not a lot of trust right now for obvious reasons.)

Raph

@shauna @bagder got it, thank you for explaining 🙏 so newer projects, that don't have humans or scripts looking at a particular registry yet, could move to another container registry, and all would be well? There are no particular down sides *not* being on DockerHub?

Shauna GM

@raph @bagder That's my understanding. I don't use Docker/DockerHub much though, and certainly don't have any major projects that are getting hundreds of thousands of public downloads, so take my explanations with a pinch of salt. :)

Raph

@shauna @bagder Sounds good, this is already helpful. We're about to release two web apps that use Docker so this is a timely conversation 😅

AlgoCompSynth by znmeb

@bagder Do you have the resources to beat Docker in court? No?

I argue that you need a revenue model to cover the costs while you rebuild around another tool.

John Minnihan

@bagder i created + ran freepository for 17 yrs - lots of paid accounts but TONS of free ones.

i never did anything like this + even when i sunsetted the service, i gave everyone six months notice + the ability to download full repos.

not everyone who provides a free service behaves this way.

Kevin Karhan :verified:

@bagder *nodds in agreement*

Every good #hoster will #chache shit and use at least an inhouse #CDN to save on external traffic.

To the point that hosters have caching proxies for packages of distros preconfigured in their images.

Cykonot

@bagder that's right, they need to tend their own walled garden.

Kinda like with Elon threatening to allow impersonators on his site if you don't give him money lol

DJGummikuh

@bagder
despite all the clusterfuckery of dockers decision, the way I read it namespaces are not released, so squatting of your image names will be impossible, even when your organization is deleted.
Still a scumbag move.

Matthieu Paret

@bagder it means, we should ban all docker images...

defel

@bagder no, this should not be the case.

Pierre Ozoux

@bagder this can become the biggest industrial catastrophe..

But I read on github that they will forbid squating... (I don't really trust them..)

I recomend people to forbid their registry and ask their package maintainer to use a different one.

YesBait

@bagder a bit off-topic, but I just realized: people are running curl in Docker. A single binary command line application. And not a few, but causing 5000000000 downloads. What is going on in IT?

Fabio Manganiello

@yesbait @bagder I think it's docker-composer's fault for turning a container manager basically into a package manager.

When disk space is no longer a constraint, people start installing a 100 MB Alpine image just to run a 5 MB executable.

DELETED

@blacklight @yesbait @bagder docker only downloads the parts of an image you are missing, so, if you already have an alpine image from a different container, docker reuses it and only downloads the additional files required to run curl

Dani Pardo

@yesbait @bagder I've just run docker once, to self-host Gitlab, which might make sense, but this is kind of ridiculous. I whouldn't be surprised now if there's a docker image for running /usr/bin/true.

Simon Eilting

@yesbait @bagder sometimes you run stuff on other people's machines - like in CI. It makes sense to have everything containerised there, even if it's only curl.

I can also see it being used for an initContainer in kubernetes.

ScaredyCat
@bagder

What's happening? I can't find anything about this but it seems like it'd be an interesting discussion.
Fabio Manganiello

@bagder there's going to be a lot of squatting of Docker names soon. Docker images may become the main vector for delivering malware. And it's all on them, all self-inflicted.

I *WANT* people to do a docker pull of curl and install malware instead. I want it with all of my heart because I want people to figure out that Docker is an unreliable company that builds an unreliable product, and that those who slap the FOSS community after relying on them to grow deserve to get nothing but shitware.

Xavier «X» Santolaria :verified_paw: :donor:

@bagder Apparently, Docker's CTO commented informally on Twitter that they will shut down accounts that do not pay up, and not allow anyone else to take over the name....

Hopefully they keep their word.

trinity-1686a

@bagder on some free software project, we asked to become part of Docker-Sponsored Open Source program yesterday, and where accepted early this morning. You should probably do the same, if nothing but to protect the namespace

daniel:// stenberg://

@a000d4f7a91939d0e71df1646d7a48 I believe we are already part of that.

The name space is supposedly protected though, many people have pointed this out after my initial toot on this.

Deuchnord

@bagder apparently, accounts/organization names are not made available to new registers. I suppose it will mitigate the risk of squatting?

(source: twitter.com/justincormack/stat)

HugoPoi

Ok so I didn't follow the story, so Docker company ask for fees now for namespace on docker hub if I understand well.

Eric Zhang
@bagder I see you are a "Sponsored OSS" on Docker Hub. Does that not prevent the organization being deleted?
to⟁st⟁l

@bagder I still think the galaxy brain solution in most cases is going to be drop Docker, drop containers with their overhead, and use Nix or Guix if you want reproducible, shareable builds.

WagesOf

@bagder TIL that asking open source developers to pay for the services they use is extortion.

🤦‍♂️

WagesOf

@bagder they distributed over 5 billion copies of your software.

Sure seems so.

I don't know what distribution service with that much bandwidth should cost, but it seems that the era of free everything, even for open source, may be done.

daniel:// stenberg://

@wagesof they served that to their users. We helped them please their users.

Raniz

@bagder Someone recommended cancelling the org. and then immediately squat it yourself with a private throwaway.

farcaller

@bagder wait, why would curl ever pay docker? It's on docker for having a successful ecosystem.

Paolo Redaelli

@bagder
Have you evaluated #podman? I'm quite ignorant on the issue but AFAIK it should be a drop in replacement for #docker
@valhalla

MrClon

@bagder docker images of curl? For what?

Go Up