--- affected users: container registry users deadline: 2025-05-08 (3 weeks) status: proposed discussion: https://gitlab.torproject.org/tpo/tpa/base-images/-/issues/24 ---
Summary: TPA container images will follow upstream OS support schedules
Table of contents:
- Proposal - Debian images - Ubuntu images - Alternatives considered - Different schedules according to image type - Upgrades in lockstep with our major upgrades - Upgrade completes before EOL - Upgrade completes after EOL - References
# Proposal
Container image versions published by TPA as part of the `base-images` repository will be supported following upstream (Debian and Ubuntu) support policies, including "LTS" releases.
In other words, we will *not* retire the images in lockstep with the normal "major release" upgrade policy, which typically starts the upgrade during the freeze and aims to retire the previous release within a year.
This is to give our users a fallback if they have trouble with the major upgrades, and to simplify our upgrade policy.
This implies supporting 4 or 5 Debian build per image, per architecture, depending on how long upstream live, including testing and unstable.
We can make exceptions in case our major upgrades take an extremely long time (say, past the LTS EOL date), but we *strongly* encourage all container image users to regularly follow the latest "stable" release (if not "testing") to keep their things up to date, regardless of TPA's major upgrades schedules.
Before image retirements, we'll send an announcement, typically about a year in advance (when the new stable is released, which is typically a year before the previous LTS drops out of support) and a month before the actual retirement.
## Debian images
Those are the Debian images currently supported and their scheduled retirement date.
| codename | version | end of support | |------------|---------|----------------| | `bullseye` | 11 | 2026-08-31 | | `bookworm` | 12 | 2028-06-30 | | `trixie` | 13 | likely 2030 | | `sid` | N/A | N/A |
Note that `bullseye` was actually retired already, before this proposal was adopted ([tpo/tpa/base-images#19][]).
[tpo/tpa/base-images#19]: https://gitlab.torproject.org/tpo/tpa/base-images/-/issues/19
## Ubuntu images
Ubuntu releases are tracked separately, as we do not actually perform Ubuntu major upgrades. So we currently have those images:
| codename | version | end of support | |------------|-----------|----------------| | `focal` | 20.04 LTS | 2025-05-29 | | `jammy` | 22.04 LTS | 2027-06-01 | | `noble` | 24.04 LTS | 2029-05-31 | | `oracular` | 24.10 | 2025-07 |
Concretely, it means we're supporting a relatively constant number (4) of upstream releases.
Note that we do not currently build other images on top of Ubuntu images, and would discourage such an approach, as Ubuntu is typically not supported by TPA, except to build third-party software (in this case, "C" Tor).
# Alternatives considered
Those approaches were discussed but ultimately discarded.
## Different schedules according to image type
We've also considered having different schedules for different image types, for example having only "stable" for some less common images.
This, however, would be confusing for users: they would need to *guess* what exactly we consider to be a "common" image.
This implies we build more images than we might truly need (e.g. who really needs the `redis-server` image from `testing` *and* `unstable`?) but this seems like a small cost to pay for the tradeoff.
We currently do not feel the number of built images is a problem in our pipelines.
## Upgrades in lockstep with our major upgrades
We've also considered retiring container images in lockstep with the major OS upgrades as performed by TPA. For Debian, this would have *not* include LTS releases, unless our upgrades are delayed. For Ubuntu, it includes LTS releases and supported rolling releases.
For Debian, it meant we generally supported 3 releases (including testing and unstable), except during the upgrade, when we support 4 versions of the container images for however long it takes to complete the upgrade after the stable release.
This was confusing, as the lifetime of an image depended upon the speed at which major upgrades were performed. Those are highly variable, as they depend on the team's workload and the difficulties encountered (or not) during the procedure.
It could mean that support for a container image would abruptly be dropped if the major upgrade crossed the LTS boundary, although this is also a problem with the current proposal, alleviated by pre-retirement announcements.
### Upgrade completes before EOL
In this case, we complete the Debian 13 upgrade before the EOL:
- 2025-04-01: Debian 13 upgrade starts, 12 and 13 images supported - 2025-06-10: Debian 13 released, Debian 14 becomes `testing`, 12, 13 and 14 images supported - 2026-02-15: Debian 13 upgrade completes - 2026-06-10: Debian 12 becomes LTS, 12 support dropped, 13 and 14 supported
In this case, "oldstable" images (Debian 12) images are supported 4 months after the major upgrade completion, and 14 months after the upgrades start.
### Upgrade completes after EOL
In this case, we complete the Debian 13 upgrade after the EOL:
- 2025-04-01: Debian 13 upgrade starts, 12 and 13 images supported - 2025-06-10: Debian 13 released, Debian 14 becomes `testing`, 12, 13 and 14 images supported - 2026-06-10: Debian 12 becomes LTS, 12, 13 and 14 supported - 2027-02-15: Debian 13 upgrade completes, Debian 12 images support dropped, 13 and 14 supported - 2028-06-30: Debian 12 LTS support dropped upstream
In this case, "oldstable" (Debian 12) images are supported zero months after the major upgrades completes, and 22 months after the upgrade started.
# References
- [discussion issue][] - [Debian release support schedule][] - [Ubuntu][] and [Debian][] release timelines at Wikipedia - [Debian major upgrades progress and history][]
[discussion issue]: https://gitlab.torproject.org/tpo/tpa/base-images/-/issues/24 [Debian major upgrades progress and history]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades#all-time-v... [Debian]: https://en.wikipedia.org/wiki/Debian_version_history#Release_table [Ubuntu]: https://en.wikipedia.org/wiki/Ubuntu_version_history#Table_of_versions [Debian release support schedule]: https://www.debian.org/releases/