Closed jrwren closed 1 month ago
While gosu
is not unused, I agree that it should be removed. They have had a CVE for a few months now because they are compiling with an EOL Go version. When asked to upgrade, the maintainer did but then never released a new build. This is not acceptable in most company security policies. I agree with the maintainer of gosu that it has no impact, I do not agree that there is no reason to release a new version.
Redis used gosu for the "--user" entry flag. Is there a way we can do this without gosu?
Similar to https://github.com/docker-library/redis/issues/401#issuecomment-2146091318
I believe that ubuntu (edit: sorry, debian) already has runuser OOTB and alpine can apk add runuser to get the same functionality as gosu.
update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec.
setpriv
is the alternative you're probably looking for.
Closing this as we have replaces gosu
with setpriv
Would you be open to a patch which removes the unused gosu?