Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you thought having to deal with old COBOL programs was a problem, it gets much worse. When there are 10 year old containers in production, and the parts to rebuild them are long gone, then you have a real problem.

There's a reason that Google has internal systems which can and do rebuild everything from source.




This is actually a very important point that gets ignored a lot.

What will happen if public container images are no longer available for building your application?

Your in a for a world of hurt if a major dependency of your application doesn't work anymore because someone pulled the image.


The right answer is to use your own repository and pull those images in-house where they can be scanned and verified, I.e. , run a container from that image, scan it using security tools, then action from there.

You can also kind-of recreate a Dockerfile from an image using docker history: https://stackoverflow.com/questions/19104847/how-to-generate...

In the general case, it’s the same as a Ruby Gem or NodeJS module going away from rubygems or npmjs; once its gone, its gone


This is why we have a local registry and for any container that is goes to testing or production or is needed for builds should be build-able from source.

We still need to figure out how to best tackle the issue of online repositories being taken down or vanishing. For now we run apt-mirror.


The same thing you do with any 3rd party dependency -- save a copy of the source. Pull from DockerHub all you want but keep the images and their sources in a private registry and deploy your actual services from that.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: