tianon
commented
1 week ago Unfortunately, I've recently discovered in https://github.com/docker-library/rabbitmq/discussions/733#discussioncomment-10939232 that the way the distributions compile gosu does not allow govulncheck to work properly; I've fixed that in Debian Unstable, but it's going to take a few years before that trickles down to enough meaningful stable releases. :sweat_smile:
For your purposes, I'd suggest installing the upstream-released binaries instead: https://github.com/tianon/gosu/blob/4233b796eeb3ba76c8597a46d89eab1f116188e2/INSTALL.md :eyes:
The most impactful change in https://github.com/tianon/gosu/compare/1.14...1.17 is the ability for govulncheck to work on the binary, so updating is probably a good plan. :+1:
(You'll probably also want to keep https://github.com/tianon/gosu/blob/4233b796eeb3ba76c8597a46d89eab1f116188e2/SECURITY.md and https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves handy, since many of the security tools are still trying to figure out how to integrate govulncheck properly :sob:)
Looking at the Dockerfile templates use gosu version 1.14. I wonder if this needs to / should be updated (as a number of warnings on hub.docker.com are related to gosu version 1.14 in the Friendica image).
For Debian, a stable version 1.14 is available: would installing this version of gosu with apt be a better choice? Or should we stick with the current download but update to 1.17?
For Alpine it looks 1.17 is availabe as package: would it be a better choice to install it as package?
Looking in e.g. the Dockerfile of the Nextcloud package it seems that gosu is not used. But the Nextcloud setup is similar to the Friendica one. Is using gosu still recommended?
@tianon May you give a quick advice please? I will then do the update accordingly.