Closed dirkmueller closed 1 week ago
Created a staging project on OBS for 5: home:defolos:BCI:Staging:SLE-15-SP5:5-1387
Changes pushed to branch 5-1387
as commit 3c7f62849ea9b87bced0f2b4c61f6ff6189007b4
Created a staging project on OBS for 6: home:defolos:BCI:Staging:SLE-15-SP6:6-1387
Changes pushed to branch 6-1387
as commit e60f3fce4b1d0e615b3df494a5b132dc6ad64d6e
Created a staging project on OBS for Tumbleweed: home:defolos:BCI:Staging:Tumbleweed:Tumbleweed-1387
Changes pushed to branch Tumbleweed-1387
as commit 5b97bd90b340283cd33339ac39605a9e07a70d7a
"requests changes" means what needs to be changed? we can't change to kiwi build easily because it changes repositories so qa pipelines etc needs adjustment.
I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.
"requests changes" means what needs to be changed? we can't change to kiwi build easily because it changes repositories so qa pipelines etc needs adjustment.
I wouldn't find the change that intrusive, given that this just touches tomcat, that hasn't been setup yet.
I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.
Kiwi allows us to do the same. One disadvantage of the multistage build is, that the .packages
file that OBS produces is no longer correct. E.g. suse-tomcat-10-15.6.10.x86_64-35.7.packages
contains zypper and all its dependencies. The SBOMs appear to be correct though.
I don't think kiwi is a better approach. enabling a multistage build is seamless and allows to remove packages that frequently attract vulnerabilities.
Kiwi allows us to do the same. One disadvantage of the multistage build is, that the
.packages
file that OBS produces is no longer correct. E.g.suse-tomcat-10-15.6.10.x86_64-35.7.packages
contains zypper and all its dependencies. The SBOMs appear to be correct though.
The report
files suffer from the same flaw as the packages
files, e.g. suse-tomcat-10-15.6.10.x86_64-35.7.report
contains the whole zypper stack too. This will mess up the reports that @msmeissn generates.
The
report
files suffer from the same flaw as thepackages
files, e.g.suse-tomcat-10-15.6.10.x86_64-35.7.report
contains the whole zypper stack too. This will mess up the reports that @msmeissn generates.
Marcus mentioned to me that it would not be an issue for him to switch to SBOMs for reports, which I think would make most sense.
This can be used for other app containers as well. Unsure if it should be done globally for all application containers.