So, Docker Inc has finally updated the FAQ for their their previously announced service limits. And I'm not going to lie, it's pretty brutal. You should consider any (unpaid) use of Docker Hub to be an operational risk going forward.

The anonymous pull limits have been clarified to be by IP, so anyone running container tooling behind a NAT expect to hit those very quickly (100 pulls per 6 hours). And image expiry will apparently be per-version.

The latter has me very worried that old versions of FOSS tools will quickly age out, potentially destroying quite a bit of archived history. There is a nebulous answer that FOSS projects can get some kind of special plan ( https://www.docker.com/community/open-source-application).

If your FOSS project uses Docker Hub for distribution, I would strongly encourage you to at least try that route in the hopes that you can preserve some history should someone need it in the future.

My inner security engineer is just screaming "what about when we need to establish how long ago a trojan was introduced into a build artifact?" and all the old versions are just gone. Not to mention actual archivists who may not even know what they are losing.

I completely understand why running a public utility feels overwhelming for Docker, but as someone who ran PyPI for a long time, it can be done and the value to the community is incalculable. (shoutout to all the partners that make running PyPI and things like it possible)