Annif v0.61 Docker image has been rebuilt

[juho.i...@helsinki.fi]

Hi all,

The Docker image for Annif version 0.61 has been rebuilt and pushed to the quay.io repository. The new, updated image has tags 0.61, 0.61.0 and 0.61.0-20230619.

The rebuild is done to apply the latest security updates to the image; there are no changes in Annif itself. The quay.io security scan reported some vulnerabilities for which fixes were available, but for which we had no particular concern - this has been just a precaution.

Note that the scanner still shows many vulnerabilities for the updated image that all are "fixed in version 0:0". There is no exact explanation for this (see this discussion), but our best understanding of this is that these vulnerabilities do not actually affect the image.

In the future we plan to rebuild the Docker image of the most recent Annif release from time to time to apply the latest security updates to it.

To allow pinning to a particular build of Annif's Docker image, the tag set of an image now includes the date of the build as a suffix: <major>.<minor>.<patch>-<YYYYMMDD>. This also allows to use the manifest digest of an image for the most careful pinning (in quay.io, when the (version) tag is reused by a newer image, the image would be purged from the repository, if the original image would not retain the (date) tag). See here for some advice on the best practices for Docker image deployments with tags.

-Juho

[juho.i...@helsinki.fi]

Hi again,

Unfortunately the rebuild Annif image that was pushed yesterday to quay.io repository with tags 0.61, 0.61.0 and 0.61.0-20230619 actually contained the current development version of Annif.

The mistakenly pushed image has now been replaced with an image with the intended Annif version 0.61: the new, corrected image has tags 0.61, 0.61.0 and 0.61.0-20230620. The image with the incorrect (current development) version of Annif, tagged with 0.61.0-20230619, has been removed from the repository.

-Juho