Upgrade to Ubuntu focal (20.04 LTS)

[matthyx]

Hello,

I have one good motivation for upgrading paketo buildpacks to the current LTS. My sec team doesn't allow us to have any Ubuntu 18.04 in our Docker repositories because of a vulnerability in libpam 1.1.8

Would it help if I opened a PR to use the current LTS?

Cheers, Matthias

[sophiewigmore]

Hey @matthyx! Thanks for pointing that out to us. This is something that we have heard a decent amount of interest in (see this Slack thread, there's a lot of context there). To summarize, our policy is usually to update the LTS version every 4 years because of the overhead associated with supporting multiple stacks. It requires supporting a new set of stacks, builders, and potentially some buildpack dependencies, and also will use a fair number of project resources to maintain. I saw @dmikusa-pivotal mentioned the idea of possibly supporting a community-maintained 20.04 stack which could be a viable option given the amount of interest we've seen.

I appreciate your willingness to contribute to the effort. This is a topic with far-reaching effects, I think that we need to align as a project on a path forward to get this to happen. I can bring this up at our working group meeting tomorrow (March 8 @ 2:00 EST), if you'd like to join / I can also keep this issue up to date with the latest developments

[matthyx]

Awesome, I have worked with Daniel on a issue regarding SSL certificates in Java images. Please keep me updated, also I'm not sure if an issue in this particular repo is appropriate...

Indeed when I do a code search in your org with "bionic" it's incredible how many files show up, Golang, yaml, shell, toml, Dockerfiles... it doesn't look modular at all!

[sophiewigmore]

@matthyx I do have a question about your use case I'd like some clarification on. Currently, whenever there's a USN patch for a CVE in the 18.04 stack, we update the stack we ship and release a new version. Therefore any fixed CVEs should be fixed in our stacks. Is there some complexity around the libpam vulnerability specifically that would lead it to be fixed in 20.04 but not in 18.04?

[sophiewigmore]

I am going to transfer this issue to our main stacks repository

[matthyx]

Is there some complexity around the libpam vulnerability specifically that would lead it to be fixed in 20.04 but not in 18.04?

The patch has been fixed in libpam 1.3.1 however if you look at the package search page of Ubuntu, bionic uses 1.1.8 The only LTS that uses 1.3.1 is focal:

Package libpam-modules-bin
[bionic (18.04LTS)](https://packages.ubuntu.com/bionic/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.1.8-3.6ubuntu2: amd64 arm64 armhf i386 ppc64el s390x
[bionic-updates](https://packages.ubuntu.com/bionic-updates/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.1.8-3.6ubuntu2.18.04.3: amd64 arm64 armhf i386 ppc64el s390x
[focal (20.04LTS)](https://packages.ubuntu.com/focal/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.3.1-5ubuntu4: amd64 arm64 armhf i386 ppc64el s390x
[focal-updates](https://packages.ubuntu.com/focal-updates/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.3.1-5ubuntu4.3: amd64 arm64 armhf i386 ppc64el s390x
[hirsute (21.04)](https://packages.ubuntu.com/hirsute/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.3.1-5ubuntu6: amd64 arm64 armhf i386 ppc64el s390x
[hirsute-updates](https://packages.ubuntu.com/hirsute-updates/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.3.1-5ubuntu6.21.04.1: amd64 arm64 armhf i386 ppc64el s390x
[impish (21.10)](https://packages.ubuntu.com/impish/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.3.1-5ubuntu11: amd64 arm64 armhf i386 ppc64el s390x
[jammy](https://packages.ubuntu.com/jammy/libpam-modules-bin) (admin): Pluggable Authentication Modules for PAM - helper binaries
1.4.0-11ubuntu1: amd64 arm64 armhf i386 ppc64el s390x

[matthyx]

I can bring this up at our working group meeting tomorrow (March 8 @ 2:00 EST), if you'd like to join

Where do I find the meeting info, please ? Found it: https://github.com/paketo-buildpacks/community