-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release schedule for Debian security upgrades #14813
Comments
As for those particular openssl cves, see debuerreotype/docker-debian-artifacts#195 (comment). |
Il 09/06/23 19:25, yosifkit ha scritto:
As for those particular openssl cves, seehttps://github.com/debuerreotype/docker-debian-artifacts/issues/195#issuecomment-1577155071.
Thank you! It's nice to see the update was given careful consideration.
From that «I'd rather not update the images two weeks in a row and
cause extra churn for users», I gather that updating images less than 14
days apart is considered unusual. At what point would churn no longer be
a worry? 3 weeks, 4 weeks?
Knowing what pace to expect from the official images, it's easier to
plan for other ways to pick up the Debian upgrades faster than that
where needed.
|
The downstream rebuild effect when we update is pretty immense, so we try to stick to roughly three weeks barring unusual events like severe CVEs or distro-level releases. There should be an update today (assuming no serious hiccups in the rebuild). |
How often are Debian-based official images updated to pick up security releases? Quite often I see official images which are several weeks out of date. It would be nice to have images refreshed once a new Debian security update is released, let's say within 24 hours.
We mirror the official images internally in our own registry, but trivy often detects vulnerable versions. For example right now the node:slim image is 17 days old and ships a vulnerable version of openssl which was upgraded 10 days ago:
So vulnerability scanners (including Docker Hub's own!) complain about CVE-2023-0464:
The text was updated successfully, but these errors were encountered: