add "apt-get upgrade" to get security updates

[timo]

docker is showing a couple high-severity security issues, this may help.

[timo]

not 100% sure if this is the right thing to do

https://hub.docker.com/layers/library/rakudo-star/latest/images/sha256-593bd3ccafb5238f3f75e8071faec3747a3693642fdeac9d8cbbbd8d16cee56f?context=repo&tab=vulnerabilities

the only fixable vulnerability at that moment really was just the git package. i'm not exactly sure how rebuilds of official images in docker/library actually happen, either.

[JJ]

It's good practice anyway to upgrade when building, just in case there have been updates that have not gone to the base image.

[JJ]

👍

[yosifkit]

We recommend against using blanket package upgrades (apt-get upgrade/apk upgrade/yum upgrade/yum update) for official-images. When package upgrades are applied in a dependent image, it duplicates content of the base image, making the image larger than necessary. It also only delays the inevitable "there are outdated packages". The Official Images build pipeline only rebuilds on a update to the Dockerfile or a base image update, so we make periodic base image updates to then fully rebuild all dependent images (e.g., the Debian and Ubuntu images are updated a least every 30 days).

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

[JJ]

We recommend against using blanket package upgrades (apt-get upgrade/apk upgrade/yum upgrade/yum update) for official-images. When package upgrades are applied in a dependent image, it duplicates content of the base image, making the image larger than necessary. It also only delays the inevitable "there are outdated packages". The Official Images build pipeline only rebuilds on a update to the Dockerfile or a base image update, so we make periodic base image updates to then fully rebuild all dependent images (e.g., the Debian and Ubuntu images are updated a least every 30 days).

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

• https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

I understand what you are saying here. Packages would be at most 30 days old; instead of updating only whatever deps you will be needing you will end up with a whole lot of new packages that will burden your image and finally packages will be eventually out-of-date if the image keeps being used without rebuild. Thanks a lot for your feedback.

So you manage to kick down the line a bit the obsolescence, at the cost of a few megabytes. I'm not totally sure this is such a bad deal. The alternative is having some packages with security issues. Another alternative, of course, would be to trigger rebuild of this image as soon as the base image is updated, which would imply creating new workflows, and would be out of scope for this PR.

Anyway, what you say makes sense so I retire my approval.

[JJ]

As indicated in the comments, this is not a recommended practice.