https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272816
Bug ID: 272816
Summary: pkgbase: caroot and openssl packages need reorganising
Product: Base System
Version: 13.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: misc
Assignee: [email protected]
Reporter: [email protected]
A popular base container image for linux containers is the distroless family of
images (https://github.com/GoogleContainerTools/distroless).
For statically linked openssl based programs, there is a very small 'static'
image which contains just certificates and a few config files. For dynamically
linked program support there is also 'base' which adds in base system dynamic
libs as well as openssl libs. These help to reduce the attack surface on the
inside of the container as well as reducing the raw image size.
Trying to use pkgbase to build something like distroless-static isn't currently
possible since the FreeBSD-caroot package which contains the certificates also
depends on FreeBSD-openssl which has all the ssl dynamic libs. Building
something like distroless-base is almost possible but FreeBSD-openssl also
installs the openssl utility which isn't wanted and is ~0.7Mb in size.
Perhaps FreeBSD-caroot could split out the certificates into another package or
possibly just not depend on FreeBSD-openssl? To avoid installing
/usr/bin/openssl when adding SSL dynamic libs, perhaps FreeBSD-openssl could
split out the libs into FreeBSD-openssl-libs?
--
You are receiving this mail because:
You are the assignee for the bug.
