We maintain a small docker registry of build images we use that can't be pulled or can't be relied upon to be pulled in the future from docker. In practice this means versioning specific docker images that aren't tagged with versions so become unabailable with updates, and where we have standardized on a specific version.
The registry is [registry.openprivacy.ca:5000](registry.openprivacy.ca:5000)