dockerfilelint should not recommend against installing security updates by default #148
Comments
|
According to the Readme you can disable the rules via a config file, if you're bothered by the linter output. There's a valid reason why it might not be desirable to use apt upgrade etc. By using those you won't know the exact version that gets installed, i.e. you have no version pinning. Therefore you can't get reproducible builds. In the end, it will depend on what you're trying to achieve, I can think of use cases for both approaches. |
|
Defaults shift behavior, especially for people who aren’t experts. I’d tend to think that it’d be better not to discourage installing security updates by default and letting the much smaller community of people trying for reproducible builds worry about that along with all of the other details they’re going to need to deal with. |
|
The problem is also that you can't always upgrade some of the packages inside an unprivileged container. |
|
@svl7 the above mentioned part of the Docker documentation was recently removed: docker/docs#12571 |
I have to disable
apt-get-upgradeandapt-get-dist-upgradeon every project because those steps are mandatory for installing security updates. The referenced blog post is now gone but the reasoning was always highly suspect for anyone who cares about security since it basically says “don't patch your systems, just get used to ignoring all of those CVEs until you can get an upstream update shipped”. Due to the way layers work, if the upstream is responsive the update will have minimal impact on the image size since all of the relevant packages will already be installed so the only time this has a significant impact is precisely when you need it for security and reliability reasons.The text was updated successfully, but these errors were encountered: