top | item 15287240

(no title)

vmarquet | 8 years ago

In addition to the "minimalist" aspect, this image seems to offer better practices on a security level than official Debian images. From their README: "The images are built daily and have the security release enabled, so will contain any security updates released more than 24 hours ago."

A recent analysis showed that the debian:latest image is "updated roughly every month" https://anchore.com/blog/look-often-docker-images-updated/

discuss

zenlikethat|8 years ago

> In addition to the "minimalist" aspect, this image seems to offer better practices on a security level than official Debian images

I'm skeptical about this claim. Almost every image built from the Debian official image begins with `apt-get update` before you can actually install anything, which means you will almost always have the latest packages at the time of building.

nyrikki|8 years ago

While not as small it is trivial to make an up-to-date debian base image (or Fedora/Arch) any time you want. If you care about security you probably don't want to use random unverified images anyway.

  $ sudo debootstrap stretch mydebian http://mirrors.kernel.org/debian/
  $ cd mydebian
  $ sudo tar -c . | docker import - mydebian

Plus you can add files to the system before taring etc...

If you have significant work to do on an image a Dockerfile can often be far more complex than this method.

gramakri|8 years ago

apt update only updates the package list and not the packages themselves. So unless the docker file contains apt upgrade it still uses old packages.

viraptor|8 years ago

I couldn't find anything in the post that correlates the Debian updates with security notices (which is your main point). If a security advisory comes out every 2-5 weeks and Debian updates on the same schedule, then I don't see a problem. But the data is just not there.

(These have to be advisories actually affecting the image, not all of them)