Thanks - I'm +1 to both doing this work and the naming convention. The main naming alternative I can think of is using tags for distroless, aka apache/beam_python3.9_sdk:2.61.0-distroless (and probably also apache/beam_python3.9_sdk:latest-distroless), but I think that having separate repos is probably a little bit cleaner for vulnerability tooling and vulnerability-based policies. Overall, I don't think there's a huge difference (and I've seen both approaches used), but I like the repo approach a bit more.
Thanks, Danny On Mon, Nov 25, 2024 at 5:31 PM Damon Douglas <damondoug...@apache.org> wrote: > Hello everyone, > > Work is currently underway <https://github.com/apache/beam/issues/32815> > to build support for distroless container images > <https://github.com/GoogleContainerTools/distroless>. The purpose of this > message is to query any concerns over their naming convention, where simply > "_distroless" is added as a suffix. Currently, as an example, for the > Apache Beam Python 3.12 SDK, we publish apache/beam_python3.12_sdk > <https://hub.docker.com/r/apache/beam_python3.12_sdk> and for Java 17, we > publish apache/beam_java17_sdk > <https://hub.docker.com/r/apache/beam_java17_sdk>. The distroless > variants of these aforementioned will be > apache/beam_python3.12_sdk_distroless and > apache/beam_java17_sdk_distroless, respectively. Please let me know if you > have any concerns with the following proposed distroless variants. Note > that not all versions of Python and Java will be supported. > > apache/beam_python3.9_sdk_distroless > apache/beam_python3.10_sdk_distroless > apache/beam_python3.11_sdk_distroless > apache/beam_python3.12_sdk_distroless > apache/beam_java17_sdk_distroless > apache/beam_java21_sdk_distroless > > Best, > > Damon >
