Yes, Ironbank is an approved DoD dockerhub. There is no requirement for the releases on Ironbank to be in sync with the releases in Apache/Tinkerpop. The major requirement for Ironbank is for there not to be any critical/high vulnerabilities in the docker image. If there are vulnerabilities that "pop" up they should be addressed quickly.
My team can help with that process but it would be hard for us to fix the vulnerabilities without knowing the code. Jim On Mon, Dec 19, 2022 at 5:36 AM Stephen Mallette <[email protected]> wrote: > Hi Jim, thanks for bringing this discussion here. > > Generally speaking, it sounds like a reasonable idea to open TinkerPop > opportunities to the DoD environment. Would it be fair to call IronBank a > DoD approved DockerHub? Would the idea be that TinkerPop would release to > IronBank in the same cadence as is done with the standard release schedule > that publishes to DockerHub? > > If so, I think a concern would be that supporting IronBank creates a hurdle > to releasing that may be high and thus delay releases that might otherwise > be acceptable outside of that space. I don't know if it makes sense, but > perhaps releasing to IronBank should be decoupled from standard releases? > Like 3.5.5 would go out the door and then a separate process would go under > way to harden 3.5.5 to meet IronBank needs? Of course, then the 3.5.5 in > IronBank isn't necessarily the 3.5.5 in DockerHub so that could be > problematic. Do you happen to know how other major open source projects do > this? > > > > > > On Wed, Dec 14, 2022 at 4:51 PM Jim Foscue <[email protected]> > wrote: > > > Ironbank discussion > > > > I would like to suggest making tinkerpop/gremlin available on the DoD > > Ironbank docker registry (https://ironbank.dso.mil). > > > > Ironbank is a DoD docker registry that maintains publicly available > docker > > container images that have been "hardened' and given the ok to use on DoD > > contracts. The process of hardening an image involves running the docker > > container image through a vulnerability scanning process. Any critical > and > > high vulnerabilities have to be addressed before getting the docker > > container image approved for DoD use. > > > > My team has been using the publicly available tinkerpop/graph on a DoD > > contract that is a prototype. But to continue using it in a more > official > > process we have to have it approved by Ironbank. > > > > Therefore, I am trying to get the tinkerpop developer community to get > > onboard to push this to Ironbank so that we and other DoD contracts can > use > > it. > > > > We have access to the Ironbank system (which requires a US government > CAC) > > and are willing to help guide the process. > > > > Please consider this request and provide any feedback to me at your > > convience. > > > > Regards, > > > > Jim Foscue > > JDM Solutions > > > > > > > > -- > > *Jim Foscue*, Software Engineer > > *JDM Solutions* > > 256.694.9387 > > [email protected] <[email protected]> > > > > -- > > *This e-mail and any attachements are for the intended recipient(s) only > > and may contain information proprietary or private to JDM Solutions, LLC. > > If you are not the intended recipient **please delete without copying and > > kindly advise the sender by e-mail of the mistake in delivery. This > email > > may be personal in communication from the sender and as such does not > > represent the views of the company.* > > > -- *This e-mail and any attachements are for the intended recipient(s) only and may contain information proprietary or private to JDM Solutions, LLC. If you are not the intended recipient **please delete without copying and kindly advise the sender by e-mail of the mistake in delivery. This email may be personal in communication from the sender and as such does not represent the views of the company.*
