Docker Scout is arbitrarily limited to merely one repository per user. Any FOSS contributors with more than one repository are forced to not scan most of their repositories. In a world where 99% of software is FOSS, this sets up the entire tech industry for malware by default.
Simple GET requests for images and tag aliases are severely rate limited. FOSS contributors that manage multiple repositories and/or multiplatform images, cannot conduct even modest SDLC activities without triggering a six hour waiting block.
Team subscriptions fail to cover personal orgs, creating extra hoops to jump through, even for paying customers.
In general, pricing should be based on bytes processed, not features, nor number of repositories, nor number of images, nor number of platforms, nor personal/team org type. Too many tech companies make this mistake. The result is confusing to navigate. Even large enterprises end up refusing to pay for essential security features due to the mess of ‘90s style pricing schemes.
Even paid tiers don’t automatically enable Docker Scout for existing and newly pushed repositories. At every opportunity, malware is treated as cheaper than an actually secure posture.
Let me start of with saying that this is a community forum, where community users respond to other community users.
My understanding it that the Docker-Sponsored Open Source Program was created to combat the first bullet point by providing a free team for the main contributors of open source projects. Members of the team would not be affected by the 2nd and 3rd bullet point (as long as the images are within the namespace of the organization).
The other bullet points are related to product strategy, which can not be answered by the community. We will try to get in touch with Docker Inc about it, though it might take a while.
In fact, that’s 2+ hoops. Because it requires two distinct email addresses. There’s a nasty assumption that all projects have more than one person contributing.
Most engineers will never submit this form. But we all depend on open source components. Vulnerable, unscanned components.
You are right, it’s a one time hoop to jump through, and if there was a better way, we would definitely do that, instead of incurring friction on open source maintainers who have more than enough on their plate.
The reason we do it, is that we also have limited resources, making docker hub and scout available to everyone is costly, and we are more than happy to do it to all the open source projects who need it and benefit from it, but at the same time, we do not have the unlimited resources like some of the giants in this space, to act as free infrastructure for millions of image pulls by billion dollar companies.
So, to ensure we can provide good rate-limits and free access for open source folks, this was the best option - but would be very happy to get suggestions on how we can remove friction for you - will look into the 2 email issue, not something we have heard was an issue before.
Hey @mcandre, if you’re asking why Docker requires two email addresses when applying to DSOS, here’s the reason:
We ask for two emails during registration for the Docker Sponsored Open Source program because, in many cases, the person who applies later leaves the project. When that happens, we’re left without a point of contact. Having a second email helps us avoid that situation.
That said, if you don’t have a second email address, you can simply enter the same one for both fields.