alpine 3.20 usage #714
Comments
|
FWIW for RabbitMQ 4.0 it was decided to go with Alpine 3.20 (#712). Whether this kind of a jump would be reasonable for 3.13, I am not in a position to tell but I'd say we should try to use the latest and greatest base operating system images, if anything, for easily available and timely security updates they receive. |
|
I can't think of any good reasons not to update 👍
|
|
I'm also seeing the security issues @JensUweFischer mentioned. I created #718 to resolve this. |
|
I agree we should update, but can you elaborate on "the security issues" ? There are no package updates available in the current Alpine-based images (and Alpine is pretty active at fixing security issues, even in 3.19 and all the way down to 3.17 still): $ docker run -it --rm --pull=always rabbitmq:alpine sh
alpine: Pulling from library/rabbitmq
Digest: sha256:aca89010eb1892720642c061530926725cd59cc92a55a017b1561469a674b22a
Status: Image is up to date for rabbitmq:alpine
/ # apk list --no-cache --upgradeable
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
/ # |
but: Background informations: that base image brings a /etc/apk/repositories which specifies this file /etc/apk/repositories exists in your derived image and results in whenever alpine wants to get the "relevant" latest APKINDEX.tar.gz in the alpine:3.20 base image the file /etc/apk/repositories contains If you are realy interested in the security fixes in python3 (which i don't think) |
|
My issue is that in 3.19 Snyk doesn't flag them on the container when I look in docker hub, but I've seen that many times. |
|
A few things worth clarifying: Version numbers between releases of Alpine are generally unrelated and uncomparable (except the major/upstream version portion, which is often supplemented with explicit security patch backports). For example, a version 1.2.3-r4 in 3.19 and 1.2.3-r4 in 3.20 are only related in that they both represent some form of a 1.2.3 upstream release, not necessarily the same Python 3.12.3 is not more secure or more up-to-date than 3.11.9 -- both Python 3.12 and Python 3.11 are actively supported and maintained and receive security updates (just like Alpine 3.19 does). In fact, 3.11.9 is the latest release in the 3.11 series, where 3.12.3 is two patch versions behind the 3.12 latest (3.12.5). See also https://docs.python.org/3.11/whatsnew/changelog.html The CVE list on Docker Hub is not provided by Snyk but by Docker Scout (which uses a different engine for matching CVEs that's more careful about false positives than previous solutions on Hub have been and than most other tools are). If it's missing CVEs that you believe apply, I'm sure that team would be very keen to receive those reports. |
|
(Closing as fixed via #718) |
alpine v3.20 is released (https://alpinelinux.org/)
currently the python in the alpine images is limited to 3.11.19 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.19&repo=&arch=x86_64&maintainer=) which has security issues
if alpine would be updated to v3.20 (https://pkgs.alpinelinux.org/packages?name=python3&branch=v3.20&repo=&arch=x86_64&maintainer=), python3 would be updated to 3.12.3-r1
can we please have the alpine version updated
Thanks, Jens
The text was updated successfully, but these errors were encountered: