This repository has been archived by the owner on Nov 1, 2022. It is now read-only.
Upgrade to alpine-3.14 #3532
Merged
Upgrade to alpine-3.14 #3532
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kingdonb
force-pushed
the
alpine-3.14
branch
3 times, most recently
from
4da0278
to
71f4da3
Compare
Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
Signed-off-by: Kingdon Barrett <yebyen@gmail.com>
stefanprodan
approved these changes
Aug 17, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This might be a bit quicker to safely review than #3515 – both are ready for merge IMHO, I have pushed a commit 2539db1 that will test them e2e both merged together.
The alpine-3.12 image hasn't been updated in >14 days, and has several (low, medium, high, critical) CVEs against it that hasn't been fixed in any upstream 3.12 image. I don't know when another 3.12 image will be published by Alpine. 3.12 appears to show support on the release branches page for almost another year, but experimentally it appears it is not getting updated and has CVEs against it for longer than the current series.
The alpine-3.14 series is the current series, and upgrading to 3.14.1 resolves all current CVEs in our build output according to Snyk today. I'd like for the next release to be clean of CVEs again, these are all recent CVEs that were not present (or were not yet disclosed) at the time the most recent image build was published, only about that long ago, Flux 1.23.2 that we pushed 13 days ago.
I think that Alpine users are expected to upgrade to 3.14.1 or greater now to receive updates for critical CVEs in the base image. No manual upgrades were necessary, but a 3.14 tag as of now does not appear to have been fixed at alpine upstream image repository. It's either this, or we have to run upgrades somewhere during the build of our image, which would change the layer profile and shape of our Flux image for downloads.
(To be clear I prefer this PR, I think this can be merged straightforward and is the next approval I need to proceed with creating a branch for the new series, this PR comes next after #3534 was merged.)