SiNaPsEr0x
commented
1 year ago I resolv to use:
Closed tomdcc closed 1 year ago
SiNaPsEr0x
commented
1 year ago I resolv to use:
tianon
commented
1 year ago Yeah, you've made some good points here (thanks for such a good writeup of the problem statement). :bow: :heart:
I've opened up #1086 to add back alpine3.17 variants again.
tomdcc
commented
1 year ago Thanks so much for doing this, and the fast turnaround! Much appreciated!
Does anything need to happen to publish the alpine 3.17 images for the latest postgres patch release now? I don't see any 3.17 tags for these on dockerhub. Thanks.
yosifkit
commented
1 year ago I'll open the PR to official images shortly.
tomdcc
commented
1 year ago Got it, thanks for the explanation.
Hi
We distribute our app as a number of container images, some of which are based on alpine images of some sort, including the database. We would normally upgrade our alpine-based images together with the next major version of our app after a new alpine release, as we try not to introduce anything except fixes in our minor/patch releases.
Postgres 12.15 came out on May 11 and new images were published on May 12. The previous day the bump to Alpine 3.18 had been merged, so there's no pg 12.15 image based on alpine 3.17. We'd like to bump to 12.15 given the security issues that it addresses. If we want to keep using the official base images, we now have the choice to either bump alpine version, risking lower level issues that we'd rather not introduce in a patch release, or stay on 12.14 until our next major release. The latter isn't really tenable though as images with pg 12.14 will start being flagged by security scanners given the reported issues that 12.15 fixes.
A solution to this would be supporting older alpine versions for some period of time. This would give users of these images more time to test any changes brought in by the underlying OS image bump.