Convenience Images update: changes to Debian mirror for `-browsers`-tagged image variants

Mid-last week, Debian moved Wheezy (7) and Jessie (8) backport repositories into, and out of its main mirror network, which prevented the installation of several packages included in -browsers-tagged variants of our convenience images, as they previously relied on the main Debian mirror.

We considered three solutions, which are also outlined here:

  1. Stop supporting Debian Jessie variants of our images
  2. Switch from the main Debian mirror to the jessie-backports archive
  3. Stop using Open JDK 8 (the root of the specific package failures) in our -browsers-tagged variants

To minimize changes to our infrastructure that could impact customers, and to resolve the issue as quickly as possible, we opted for solution #2 (see pull request). We have subsequently patched the issue in the vast majority of our images.

As a reminder, we do not actively build/maintain all available image tags. The tags we actively support are determined by the tags pushed to upstream Docker Library images, as outlined below:

Thus, to ensure your image has the latest patch, make sure the tag you are using is a new one. You can easily make this determination in either of two ways:

You can also use our images’ semantic versioning system, which draws from the semantic versioning of upstream Docker Library images, to make sure you receive these kinds of updates automatically. For example, while the circleci/node:9.10.0 image tag may not be built in the future, referencing circleci/node:9.10 in your config.yml file will ensure that you always receive the latest circleci/node:9.10.z image tag.

Finally, it’s important to note that our solution—to use the packages in the Debian Archive—is temporary: the Archive infrastructure does not receive security updates, so we will be patching this issue in a more permanent way, with better long-term security implications, in the near future.

Thank you!