docker-node icon indicating copy to clipboard operation
docker-node copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Add note to DockerHub indicating Alpine images rely on experimental and unofficial-builds

Open BethGriggs opened this issue 1 year ago • 9 comments

A somewhat extension to https://github.com/nodejs/docker-node/issues/2000.

I've heard a lot of feedback from users of the Docker Official Node.js Alpine images that they were unaware they rely on experimental status builds (refs: BUILDING.md) from https://unofficial-builds.nodejs.org/. The binaries built into these images are not signed by the Node.js release team which may also be a surprise and/or concern to end users.

I understand the constraints with making those builds an official platform. But, I do think this information is not surfaced well enough today. Users of the pre-built Docker images are unlikely to be looking at the building file in Node.js core repository. It's also easy to see the 'Docker Official' status and assume the contents are as official/supported as the other builds the project provides.

I think we should consider adding a note (or warning?) to the https://hub.docker.com/_/node/ webpage indicating the Alpine Docker images make use of an experimental platform provided by https://unofficial-builds.nodejs.org/.

BethGriggs avatar Dec 13 '23 16:12 BethGriggs

I'd guess that adjusting the node:<version>-alpine section would be a useful place to put it. This is generated from a generic template, but can be overridden like we do in golang with a variant-alpine.md.

yosifkit avatar Dec 18 '23 19:12 yosifkit

Yeah, I agree we should do that 👍 Suggestions on the wording is very welcome! 😀 I'm bad at those sorts of things

SimenB avatar Dec 19 '23 08:12 SimenB

Regarding verbiage something akin to:

The binaries built into these images are not signed by the Node.js release team

vhscom avatar Dec 19 '23 18:12 vhscom

What about this:

Notice to Node.js Alpine Docker Image Users

Please be aware that our Node.js Alpine Docker images use builds from https://unofficial-builds.nodejs.org/, which are not signed by the official Node.js release team. These builds are chosen to ensure compatibility and performance within the Alpine environment. We share this information for transparency and to help you make informed decisions regarding your application setup.

We could also add:

For more details and discussion, please refer to: https://github.com/nodejs/docker-node/issues/1025

PeterDaveHello avatar Mar 29 '24 20:03 PeterDaveHello

@PeterDaveHello's suggestion seems reasonable to add. Who has permission to update this? (cc: @mhdawson who may know)

BethGriggs avatar Aug 12 '24 12:08 BethGriggs

I can help submit the PR for the GitHub README, but I don't have permission to make changes on Docker Hub.

PeterDaveHello avatar Aug 12 '24 14:08 PeterDaveHello

From https://hub.docker.com/_/node:

(specifically, what I'd recommend is a custom variant-alpine.md like the one Go has: https://github.com/docker-library/docs/blob/ab0984534328ccfd0128d79fcfe6eff6f8600e4c/golang/variant-alpine.md vs the stock copy at https://github.com/docker-library/docs/blob/ab0984534328ccfd0128d79fcfe6eff6f8600e4c/.template-helpers/variant-alpine.md)

tianon avatar Aug 12 '24 23:08 tianon

Looks like its been figure out and is progressing. Let me know if you need my help.

mhdawson avatar Aug 20 '24 15:08 mhdawson