We’re a little late to the party. Fashionably late.
By now the world knows that DockerHub has removed the free, untraceable goodness of anonymous pulls. How dare they? How dare they build a revolutionary technology, open-source it and give it away for free at a substantial cost to themselves. It’s worth calculating what a couple of petabytes of CloudFront bandwidth would cost, even with a substantial discount. It’s mind-blowing. And frankly unsustainable for any company that doesn’t have a multitude of revenue streams.
Why have public when you can have private?
Cloudsmith built a Docker registry at the request of a customer about two years ago. At the time, we thought it was unlikely that we’d be picked over AWS ECR (other Cloud provider container registries are available) but we were pleasantly surprised to find that a single pane of glass for all assets is a huge draw for our customers.
We’ve built Cloudsmith to normalize, where possible, the diverse list of formats as much as possible; so that Docker images can sit beside the very dependencies they contain.
A. N. Onymous
The truth is, untraceable, anonymous access is bad for software delivery. It really should be a thing of the past. Organizations must build security into their processes and workflows at the far left, with tools like Snyk, and at the point of deployment or distribution with tools like Cloudsmith.
We believe that building up a provenance trail is vital to monitor and control your risk.
The move from DockerHub, while it might cost you money, is actually a step in the right direction for everyone. Control over public upstreams is vital, and this move shines a light on the problem, and will, for many, force action toward a better, more secure, way of doing things.