[QUESTION] How this app is better than just updating all the packages using OS commands

[smartaquarius10]

What is your question?

Hello,

Generally, people write just these commands in dockerfile which updates the package and remove the vulnerabilities

apk upgrade
apk update

How copaceptic is better than adding these 2 lines. If we add this in a enterprise ci/cd pipeline then it raises few concerns

• Responsibility of enterprise devops engineering team as they shall own this app
• Adding extra step in pipeline which leads to extra effort
• Depending on an application which considered as third party rather than depending based image inbuilt commands
• Probability of adding a defect is higher in comparison to using old and million times tested inbuilt base image commands. For eg. apk in case of alpine
• This being a custom application can also have vulnerabilities. So need to regularly update copaceptic

Any suggestion on this. How this app is beneficial than old-school os commands.

Regards, Tanul

[ashnamehrotra]

@smartaquarius10 Adding those lines requires modifying Dockerfiles and doing a complete rebuild of the image upstream, which can take extra time when dealing with large amount of images and is not always possible when using images your team does not publish.

Using Copa allows for an efficient and quicker patch takes away the reliance on image publishers. Instead of a rebuild pipeline to do this work, you can use a single tool. Copa internally uses the same base image commands (like apk for alpine as you mentioned), but takes away the manual effort from the engineering side to automate this process. Owning Copa as a single tool will be simpler than maintaining image rebuild piplelines.

We also have a Copa Github Action to allow for easy integration into your pipelines, and are working on a Docker Extension in #481.