[
https://issues.apache.org/jira/browse/DAFFODIL-2714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17654664#comment-17654664
]
John Interrante commented on DAFFODIL-2714:
-------------------------------------------
Apparently, this issue's premise is that the Dockerfile should build exactly
the same image now that it built several months ago regardless of any security
updates during the last few months, but the container should have security
updates applied before making a release. This implies that the release script
run by the container should contain a scripted "sudo dnf update" command.
I think such a release script could take a considerable amount of time to
download and apply the security updates, and maybe even fail to update
something important (a kernel module or C library already read into memory)
unless we "reboot" the container to ensure all security updates take effect.
You would have to type a "docker run" command without the --rm option (which
automatically removes the container after it stops), the release script would
need to exit after downloading and applying the system updates, you would have
to type a "docker start" command with the correct container id, and the release
script would need to skip or rerun everything it did the last time without
exiting again until after it builds the release.
It seems to me that it would make more sense to build the Dockerfile's image
from a base image like Ubuntu LTS which periodically has security updates
rolled up into the base image. You would have to type a "docker pull" or
"docker build" command before you type a "docker run" command to make sure you
get the latest security updates, but these security updates hopefully won't
change any program's API in a way that might break the release script.
> Release candidate container does not support security updates
> -------------------------------------------------------------
>
> Key: DAFFODIL-2714
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2714
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Priority: Minor
>
> Commit 660188266aa171ac536d1182486fabf411dc18be modified the release
> candidate container to not install any packages from the "Fedora Updates".
> The goal was to ensure no matter when you built, you would get the exact same
> packages, which improves reproducability and lessens the chance for the build
> to break if Fedora updates a package.
> However, this means that the container does not receive any security updates
> as well. While it's unlikely security issues could affect the build since all
> code run in the container is trusted, we should come up with a way to ensure
> security updates are applied, preferably without requiring that someone
> delete and rebuild the entire container for every release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
