We Need to Talk About Docker Hub

But they did do it. By their own admission in the post, that isn’t really in question.

The implied question is whether or not they should _continue_ to do it in perpetuity. If docker did a cost:benefit of the program and decided it wasn’t worth it (maybe they didn’t get that much good PR after all?) it’s their prerogative to end it.

There’s a perfectly valid gripe about the lack of communication, just as a matter of courtesy; but again, taking from their very own post, docker (the company) has historically burned their hands on proactive communication before.

Containers took off because it was the easiest way for developers targeting Linux to get a predictable runtime environment. It freed them having to worry about the differences between Debian's OpenSSL or Red Hat's OpenSSL libraries or even the differences between different versions of a distribution. You don't see nearly the same level of uptake among Windows developers because not only is there only one Windows API for everyone to target but also Microsoft is willing to bend over backwards to preserve backward compatibility.

Containers also predated "modern sysadmins"; prior to docker, Google ran its prod software in chroots for the same reasons as above:

>The software run by the server is typically run in a chroot with a limited view of the root partition, allowing the application to be hermetic and protected from root filesystem changes. We also have support for multiple libcs and use static linking for most library uses. This combination makes it easy to have hundreds of different apps with their own dependencies that change at their own pace without breaking if the OS that boots the machine changes.

https://www.usenix.org/system/files/conference/lisa13/lisa13...

I started using it to get rid of all the moving parts of library versions, moving Debian releases, etc. Everyone has the exact environment locally and there is no confusion.

It has its own flaws, but it was so much better than the alternatives.

This 100%.

I managed a hiring process last year (my first) and from the outset I wanted to make sure I let every applicant that we talked to know if we had decided to pass. It was a lot easier said/thought than done.

That email is horrible to send. My stomach dropped out every time I hit “send”, for exactly the reasons you stated. I dreaded the replies which often included some kind of “Why?” question.

I completely understand where the candidates are coming from. They want to know what they did wrong and how they can improve. On the surface this seems like an easy thing to do, but in my experience, it’s more like opening a can of worms. How do you tell someone “I’m sorry, you’re too junior, try again in a few years” or “your entire personality was off-putting/rude” or “you spent an inordinate amount of time in the interview tying to convince me I was wrong about tabs vs spaces and even sent me a follow up email citing more reasons” or “You told me you worked with PHP 6 when I asked you what version you had used” [0], or “you couldn’t remember if you used Angular 1 or 2+” [1], or “you told me you had a great memory then proceeded to say ‘I don’t know’ and ‘I don’t remember’ to 90% of my questions”…. The list goes on

When sending a rejection letter the best case scenario is that they say “thank you” and move on (or don’t reply at all). Worst case scenario, they start asking follow-up questions which I feel obligated to respond to, they get irate, and/or they attempt some kind of bargaining/arguing. I’m not going to say I’d never do any of these things myself (however unproductive) but it shocks me that some people think they can change your mind by arguing about why you passed on them.

It’s all very uncomfortable and feels like you are navigating a field of land mines.

[0] PHP 6 never was released, it went from 5->7, though you can find books on “PHP 6” because they were printed before it was clear the version was going to be skipped.

[1] Angular 1 vs 2+ is essentially a completely different framework. Anyone working in web tech should be aware of that fact.

You're 100% right.

Still, i think we should expect better of companies and candidates on both ends.

Yes. People don't like being confronted with their shortcomings. Cultivate humility - you'll learn more.

I agree only in part. Specifically, I agree that rejection brings out the worst in people and sometimes it's better to not engage in follow-up conversations about rejection. I have interviewed my share of problematic applicants and we should not make excuses for employers to behave badly due to bad applicant behavior.

Courtesy starts with the giver. If someone chooses to not be equipped, then you have done your job by attempting courtesy, nothing more is required.

While there's a lot of awful behavior, I have found complete silence (no initial rejection) triggers worse behavior. For example, silence leads to people constantly reaching out, rightfully wanting to know status. Moreover, it greatly encourages the psychotic people to bombard you with craziness via any means of contact. For that reason, an initial response that a person is rejected is enough typically.

Courtesy is not hard and saying so is concerning. While people may have different reactions, a simple sentence is a courtesy and a thank you, nothing beyond that is required. Still, I admit reading this site sometimes makes me think basic humanity is a challenge for many people. Unfortunately, those people seem to be in charge of hiring at many companies.

All you have to do in a job context is respond at least once - thank you, but no. If the other person does not see a simple email as courtesy, that is their problem. A response is a universal courtesy, no response is a universal insult. I can understand not wanting to engage further, however.

No response at all is also demeaning. It takes seconds to formulate an initial rejection response. If someone presses you, simply reply with that dreaded canned response + simply use their name. If you want to further personalize things in either case, you pick 1 detail you remember to sound more genuine, which for a functioning human should be quite easy.

If you want something more dry in a follow-up, you can say that for legal reasons, you are not allowed or comfortable discussing further, but you wish the person luck. That covers all the normal people, and for crazies, you have no choice either way but at least this has a chance of getting them to go away. What you are saying is that people are not even worth seconds of your time, especially people who potentially invested hours, weeks, or even months in the process. I would hope any reasonable person is above this.

Lastly, a response is important because it allows people to prioritize and further their job search. If you keep someone hanging, it can have huge implications that I should not have to explain. There are many other problems it can cause as well. As an example, I once applied for a job I thought I wanted because the company confused me with someone else and their SOP was silence. They stopped responding to my inquiries which insulted me so much, I rejected their subsequent offer when the mistake was caught. Another example - a company scheduled interviews for me and just didn't show up, making me have to leave my wife alone in the hospital at the time which I only did because my job search was that important at that time financially.

Honestly, I'm so tired of the attitude of companies and people on here validating unprofessional and awful behavior. If it were legal and without issue, I'd make a list and publicly shame. The only redemption is that when someone can't even be human enough to respond to you, working at their company would be a miserable experience. Still, that does not help when you waste weeks, months, or even years going through this nonsense with ego tripping weirdos doing hiring these days, ghost jobs, and complete psychos. I've been interviewing candidates for over 20 years and I do not say this lightly that the current process is disgusting, awful, and unacceptable at a disturbingly large number of companies.

Lawsuits are an issue, I highly agree and only explain silence for repeated contact, not for initial rejection notification. I have experienced everything you said and taken a similar approach in the past hiring within my network.

Regarding the larger issues, I have diffused the legal issue in the past to some degree simply by stating, "Legally, I can't discuss this with your further, however I wish you luck" or less directly, "Thank you for inquiring. As a policy, we don't discuss rejections, however I wish you luck." Many people will simply fold, while the crazy people are going to be crazy no matter what, but at least you tried to address people who are genuinely asking for feedback in a polite way that doesn't forever tarnish you.

I have started going out of my way to spread the word in my network about certain companies who behave poorly in the hiring process, however, even if it did not involve me directly. I will not do business with these companies, use their products and libraries (when possible), and recommend against colleagues joining when they come to me for advice, recommendations, or feedback. I encourage others to actually hold people responsible for sh*t behavior. This of course goes both ways for employers and applicants.

> Just rip the bandaid off.

But you're not ripping the bandaid off, you're ignoring it and hoping that it will fall off on its own.

So far as you say that upfront

Dude, your posts are filled with wild non-sequiturs. “Don’t you believe in freedom?” What?

Fair point. I only know Linuxserver from various open source projects that don't offer containers on their own. I guess you mean tools like Radarr and so on. I guess it's okay to assume that someone might by offended by that.

What I specifically meant by horrendous was not only that they ignore one project. Unfortunately, I made similar experiences with my little project. They don't reply to emails, the application process is mediocre at best and the last time my projects' org got a renewal for the program, they mixed up accounts and first wanted to charge me for a team plan. Thank god someone noticed this on their side and fixed it. But all in all, a subpar experience. My expectation would be that someone at Docker takes care of this in an honest and professional manner. As of today, this seems to be not the case.

> It's like how WordPress have benefitted from people authoring plugins – even though wordpress.org has hosted them for "free", this has been good commercial sense as it allows them to sell more WordPress.com to people.

With seemingly similar rent-seeking behaviour when Automattic decide they’ve had enough and want to put a toll on that road…

And once those services are fully developed, and the market is captured, do they still need to provide free services?

Isn't compatibility issues a major problem for alternative registries?

With your framing this looks like the free/“free” initial use of such a framing is similar to free accounts on new social media platforms. In that case the motivation is super clear: grow the social platform since a social platform with few users is useless. Then when they get big enough they start charging. Once you’re already locked in via all sorts of connections.

Again in the case of social platforms: for the longest time this was framed as user entitlement if anyone didn’t like it. Which failed to see the other side. Yes, the users wanted something free but the company also got something back from the user.

We could go back and forth on details like the service growing to such a point that the free service becomes too much of a burden on them. But consider the case when the free service was treated by the business as an investment for $X which was supposed to carry that cost until the proverbial rug could be pulled from the users without a mass exodus—grow your user base until you have enough of a mass to demand a considerable escape velocity in order to be avoided.

Again, arguments could be made either way. But it is definitely not as simple-cut as an altruistic service versus selfish users/consumers.

I’m sure someone versed in Economics could summarize the above in a phrase or a sentence.

"Docker has benefitted from a community adopting its products,"

It takes a whole lot of mental gymnastics to argue that a provider of free services is actually the one benefitting from that interaction, and not the other way around.

Go ahead and build your systems on free dependencies like WordPress and Debian, but just get real and don't pretend that you are better than professionals that build business relationships and actually pay for their software dependencies like RHEL and Webflow.

> If you're reading this and you work for Docker in some relevant capacity, give us a hint as to what we're supposed to do here, we'd really appreciate it.

It sounds to me like their ultimate goal is to get more free stuff.

And I'm saying: open source should not rely on benevolent corporations.

And writing articles to beg for services is not a healthy strategy in the long term.

Instead: use open standards, don't rely on centralized infrastructure, create a marketplace for providers, and create a better future. Stop maintaining the status quo of indentured servitude.

> we were preparing for our annual DSOS renewal. This process is abysmal, there's no way to apply to roll over membership, or even a renewal process per se, you have to reapply from scratch every year using the same badly-designed form ...

It sounds more to me like those who run DockerHub aren't that interested in giving away free service.

Projection allows one to set the frame of the debate, if you then accuse them of parasitism, it doesn't carry the same weight, as they've already used it against you.

Your position is one of presumed entitlement, where you rely on services being provided because the outcry of not doing it would be costly.

So you're right in that sense. It's essentially blackmail: free services in exchange for staying silent.

I think it's unhealthy.

And I argue that we need properly funded, independent services, with clear motives.

> none of them invented Docker

I think that depends on what you mean by docker. Lots of similar things existed before, just less formalized and less centralized.

We're not talking about Dockerfiles here, but about images from a registry.

How many times faster and more reproducible is "docker run myimage:1.0.0" compared to your solution?

Careful now: people will start accusing you of NIH.

But I fully agree with you. Likely what you need is a tiny subset of the capabilities wrapped up by the higher level abstraction, so implement them directly.

Over time you may find you need additional capabilities (although that's far from a given) and, if and when you do, you'll need to make decisions about whether to implement them directly, or wrap everything in a higher level abstraction (or use a third party abstraction).

The point is that if you ever do need these additional capabilities there's a good chance it's because you've been successful enough to enter "good problem to have" territory because you didn't waste time getting distracted by them earlier on and instead chose to focus on work that enabled that success.

Just look at how much shorter and nicer the docker example is compared to the VM example. Also first example runs locally on any computer with docker or podman or whatever installed, second example exclusively runs on AWS.

The article is about DockerHub, not Docker.

Containers aren’t the only solution to every problem but they’re a decent hammer for a lot of nails.

and who hosts that Debian image you're starting from....

Yeah, no.

I'm not only using containers to deploy my VPSes.

Thank you for trying.

P.S. at least use something declarative and provider-agnostic like terraform.

what a profoundly useless comment. "why don't you do something else, unrelated, which doesn't solve any of the problems you have?" is absolutely the Ur-HN Reply.

Reposilite is a nice and easily deployed alternative.

There are plenty of open source registry implementations though, including just running "distribution" from Docker.

The format is not hard to implement either for basic storage.

Well the issue in question is complaining about something that they are not paying, so my solution is not to use the thing they are not paying for instead of complaining about it to the wind.

Pretty basic stuff.

Just in general why would you want to depend on something that you are not paying for? Isn't that a huge vulnerability vector? There's some very few exceptions where we do this like with the linux kernel, maybe you do it with the OS, but adding a third layer is just getting into npm levels of carelessness. It's one thing to slap on free (as in beer) dependencies for convenience sake at the application level, but dammit have some respect for the OS layer.

OCI image _is_ a vendor neutral VM image format; the runtime spec includes facilities for running VMs: https://github.com/opencontainers/runtime-spec/blob/main/con...

>Is there even a vendor neutral VM image format?

The vendor neutral standard is the Operating System. You don't need the format of the OS at disk to be standardized, that assumes a wild misconception of OS.

The OS integrates with hardware so you typically can't just copy an image between different machines and expect it to work, what's standard is the installation procedure which can be part OS provided and part hardware manufacturer/host provided.

Yes the process for installing the operating and configuring system is a bit of glue that might not be vendor neutral, but if you are obsessing over that and spending time with stuff like terraform you are missing the forest for the trees. It's like open source zealots complaining that github is closed source. You are 99% of the way there, forget about the 1% last mile and just port it manually.

Yeah, raw disk images. If you give me a block device, I can boot off it.

Slightly less trivially, anything qemu-img handles should probably be considered at least in the neutral direction, if not actually neutral.

I will say though, I get it, non-paying customers aren’t customers.

But if that’s the case that they offer a free tier/open source project tier without support they shouldn’t offer a service that isn’t 100% self-service.