Jon, Here is a link with more info on the key server issues: https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
I was able to reproduce these. I have not been able to reliably built an image in the last couple weeks. There is another issue blocking TomEE 9.0. It looks like there is a missing key fingerprint from David’s new keys he uploaded. See the email on this list on 5/29. In my opinion, it is simpler to use the SHA and seems to be more reliable. I have a PR request out there to remove the windows files. David did give me access to approve that, but I am assuming that we would prefer someone else to approve it. I will start on a list of new tags to add to the images. Thanks, Rod. From: Jonathan Gallimore <jonathan.gallim...@gmail.com> Date: Wednesday, July 14, 2021 at 5:07 AM To: dev@tomee.apache.org <dev@tomee.apache.org> Subject: [EXTERNAL] Re: Docker image change requests Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: dev-return-28494-JENKIR14=nationwide....@tomee.apache.org) ------------------------------------------------------------------------------ Hi Rod, Can you elaborate on what the keyserver issue is? That sounds like the immediate blocker. We publish SHA512 checksums so I'm fine with using them, although a GPG check is also nice. I'm a +1 on the additional tags, and removing the .exes from the bin directory. Jon On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) < jenki...@nationwide.com> wrote: > All, > > There are two requests and one issue at > https://github.com/tomitribe/docker-tomee/issues > > The issue needs to be resolved sooner rather than later. The base Debian > image as a vulnerability in it, we need to rebuild it. I will get that > going. However, I am concerned with the key server issues. I would like a > discussion on moving to the sha512 checksums. > > Adding additional tags was requested back in 2017. I like this idea. For > example we would point the “plus” tag at the latest 8 version on the newest > jre. Additional tagging is something we should be doing. > > Cleanup of the bin directory is an easy fix. This would make our images a > bit smaller, which users like. > > I am happy to make these changes, or have a discussion. > > Please advise, > Rod. > >
