Using the gosu tool results in too many complaints about vulnerabilities, because we also have to include go in the image.
By replacing gosu with su-exec we don't need to include go, and so theoretically it should not have those CVEs.
Since su-exec isn't provided as a pre-built binary anywhere reliable, I had to update the Dockerfiles to be multi-stage builds. I don't know if this violates the rules of docker official images. I couldn't see anything mentioning multi-stage builds specifically, but it does risk forcing us to revert this change later.
Using the
gosu
tool results in too many complaints about vulnerabilities, because we also have to includego
in the image. By replacinggosu
withsu-exec
we don't need to includego
, and so theoretically it should not have those CVEs.Since
su-exec
isn't provided as a pre-built binary anywhere reliable, I had to update the Dockerfiles to be multi-stage builds. I don't know if this violates the rules of docker official images. I couldn't see anything mentioning multi-stage builds specifically, but it does risk forcing us to revert this change later.