You're taking an all or nothing approach, when that isn't how this actually works. Software lifecycle management is part of product management 101, and generally how this is handled is you provide /advanced notice/ before an action is taken. Will this fully solve this issue and guarantee notification to every impact user? No. Will it help some of them and show a material attempt to be a good steward and act in good faith? Yes.
Some actions that they could have taken but didn't:
* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images
* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image
* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.
They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).
Some actions that they could have taken but didn't:
* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images
* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image
* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.
They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).