Open sozercan opened 3 weeks ago
looks like this is part of https://github.com/canonical/rocks-toolbox/blob/main/chisel-wrapper as --generate-dpkg-status
, would be great to have this in chisel
directly
Hi @sozercan, you found the chisel-wrapper!
We do have some plans to have a DB generated by Chisel directly which will resolve this issue. The PRs are very close to be merged and will hopefully land in a new version soon! Until then, please feel free to use the chisel-wrapper. We are currently using the wrapper for building ubuntu/dotnet-*
docker images too.
Let me know if you have any more questions. Cheers!
custom ubuntu chiseled images doesn't seem to contain package metadata. This makes it unable to be scanned for vulnerabilities or patched with https://github.com/project-copacetic/copacetic
For example, Google distroless contains package information in
/var/lib/dpkg/status.d/
https://oci.dag.dev/layers/gcr.io/distroless/static-debian12@sha256:e9168165836a0e692fbd161177ea950bfc17e3ec476fff726ff7c038e62e5cc8/var/lib/dpkg/status.d/and similarly in Azure Linux in
/var/lib/rpmmanifest/
https://oci.dag.dev/layers/mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:421cb3d7179891ba8ab574f6170b9b2e9e19531575446df7b5abffd4c6f2394b/var/lib/rpmmanifest/