[
https://issues.apache.org/jira/browse/DAFFODIL-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17654636#comment-17654636
]
Mike Beckerle commented on DAFFODIL-2714:
-----------------------------------------
Can we just update the release process to describe how to add the security
updates before each release.
> Release candidate container does not support security updates
> -------------------------------------------------------------
>
> Key: DAFFODIL-2714
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2714
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Priority: Minor
>
> Commit 660188266aa171ac536d1182486fabf411dc18be modified the release
> candidate container to not install any packages from the "Fedora Updates".
> The goal was to ensure no matter when you built, you would get the exact same
> packages, which improves reproducability and lessens the chance for the build
> to break if Fedora updates a package.
> However, this means that the container does not receive any security updates
> as well. While it's unlikely security issues could affect the build since all
> code run in the container is trusted, we should come up with a way to ensure
> security updates are applied, preferably without requiring that someone
> delete and rebuild the entire container for every release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
