Paul, On 3/25/21 4:46 PM, Paul Lockaby wrote: > As a lurker on this list I've always kind of wondered what the policy is for releasing new containers to address security patches on dependencies like this. I'm not sure who maintains the "official" containers for HAProxy but would they do a re-release of the latest versions to include a patch on a dependency like OpenSSL? >
The 'haproxy' image for Docker is maintained by the Docker Official Images Team [1] [2]. They also handle the necessary rebuilds when the base image changes. I maintain 2 images as part of the Official Images program and also contribute to the HAProxy image via Pull Requests. I am not part of the DOI Team, though. Independently from your email I already asked in their IRC whether the 'debian' base image is going to be rebuilt due to the OpenSSL update. This would then cause a rebuild of the 'haproxy' image. For the images that contain a username (e.g. timwolla/haproxy) the authors are responsible to trigger a rebuild. Best regards Tim Düsterhus [1] https://github.com/docker-library/haproxy/ [2] https://github.com/docker-library/official-images/
