-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add "apt-get upgrade" to get security updates #68
base: master
Are you sure you want to change the base?
Conversation
docker is showing a couple high-severity security issues, this may help.
not 100% sure if this is the right thing to do the only fixable vulnerability at that moment really was just the git package. i'm not exactly sure how rebuilds of official images in docker/library actually happen, either. |
It's good practice anyway to upgrade when building, just in case there have been updates that have not gone to the base image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
We recommend against using blanket package upgrades (
|
I understand what you are saying here. Packages would be at most 30 days old; instead of updating only whatever deps you will be needing you will end up with a whole lot of new packages that will burden your image and finally packages will be eventually out-of-date if the image keeps being used without rebuild. Thanks a lot for your feedback. So you manage to kick down the line a bit the obsolescence, at the cost of a few megabytes. I'm not totally sure this is such a bad deal. The alternative is having some packages with security issues. Another alternative, of course, would be to trigger rebuild of this image as soon as the base image is updated, which would imply creating new workflows, and would be out of scope for this PR. Anyway, what you say makes sense so I retire my approval. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As indicated in the comments, this is not a recommended practice.
docker is showing a couple high-severity security issues, this may help.