search

caddyserver / caddy-docker

Source for the official Caddy v2 Docker Image
https://hub.docker.com/_/caddy
Apache License 2.0
405 stars 74 forks source link

2.7.2 should not be used, update to 2.7.3 #307

Closed TastyPi closed 1 year ago

TastyPi commented 1 year ago

See https://github.com/caddyserver/caddy/releases/tag/v2.7.3

AskAlice commented 1 year ago

How is this not automated? o.o

francislavoie commented 1 year ago

It's not automated because it's complicated and we're human. Each release is slightly different, depending on whether we need to drop support from old minor releases or not, whether we need to bump the xcaddy version, whether we need to bump Go, alpine, etc. And then once the work is done in this repo, we must manually open a PR on https://github.com/docker-library/official-images, wait for a Docker maintainer to review and merge, then wait for the Docker Official Images jenkins pipeline to run https://doi-janky.infosiftr.net/

Also @hairyhenderson is unfortunately on vacation right now (was a long weekend here in Canada, it's that time of year), so this is delayed until he gets back.

As a workaround, you may build v2.7.3 using the builder image variant like this:

FROM caddy:2.7.2-builder AS builder

RUN xcaddy build v2.7.3

FROM caddy:2.7.2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Jiehong commented 1 year ago

I was also wondering the same: 5 days ago the caddy release said not to use 2.7.2, and use 2.7.3 but docker pull shows it doesn't exist (and indeed it isn't on https://hub.docker.com/_/caddy).

The release notes does not mention the docker images being slightly out of sync, so for me the workaround was to just keep on using 2.6.4 for now. Perhaps just always adding a note in https://github.com/caddyserver/caddy/releases telling people to expect some delays in the docker image release would be nice.

Also, has it been considered to publish on github packages? (https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages)

SaltireSoul commented 1 year ago

In the long term I'm concerned. True to Murphy's law caddy 2.7.x just about had everything go wrong with the silver lining it wasn't a 0-day exploit fix.

Now imagine this was a zero day exploit, that is 5 days so far without the fix being pushed to docker hub. Demonstrating a single point of failure and clear need to improve the process of how docker images are built.

francislavoie commented 1 year ago

This is now pending https://github.com/docker-library/official-images/pull/15189 being merged.

Thanks for being patient, everyone.