GitHub user hpvd edited a comment on the discussion: Build distroless package for better security, smaller size, speed and more
sure you are right about false positives! ..but even if the absolute numbers are lower e.g. with a new release of pulsar and an included distro, the mechanism keeps always alive: the more code within a package, the more chances for vulnerabilities (plus the influence on the other 7 points noted in https://github.com/apache/pulsar/discussions/20253#discussion-5173112 ) And if the absolute number of vulnerabilities is low on release day, it will always be higher next week... GitHub link: https://github.com/apache/pulsar/discussions/20253#discussioncomment-5851978 ---- This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org