Container Versioning and Deprecation Policy

Versioning

Our containers follow normal Semver style versioning. A change in version means that there was some code change that occurred within the image. However, in order to follow best practices and address possible security vulnerabilities within the underlying image used in the container, we will also periodically update the base image of one or more tagged versions. This will cause the container hash to change, but the tag to remain the same.
The following policy will be used. The primary goal of this policy is to communicate changes when they occur within the container, to quickly address and fix vulnerabilities in current/old versions, and to avoid hosting tagged, vulnerable images within our registry.
  • Docker image tags WILL change if there are code changes within the image. This means that between 1.4.11.4.2 there are direct code changes between the two images.
  • Docker image tags WILL change if we modify the underlying base image to move to a completely different image, i.e. alpineslim or something similar.
  • Docker image tags WILL NOT change if all that is changing is an update of the base image to fix a container vulnerability.
  • Tagged Docker images will not be removed from our public registry until the version with which they are tagged has been deprecated and the deprecation grace period has expired. Pre-release/beta tags (those in the form x.y.z-betaN) do not require a deprecation period before they are removed.
  • Untagged images with or without vulnerabilities will continue to be available in the public registry until the end of their retention period.

Deprecation and Retention

Each container release will remain supported at least 12 months following the release of an updated version or public notice of its end of life.

When will a container be deprecated?

Automatically when a newer version of it is released, or manually when its end of life is announced in its changelog.

What is the deprecation grace period?

12 months from the time of deprecation. After that period deprecated images are subject to removal from the registry.

What is the retention period of untagged images?

6 months from when they become untagged. After that period untagged images are subject to removal from the registry.