Always upgrade packages

[matthewvalimaki]

I recommend apk upgrade --update to be executed on every image. For example libcrypto, libssl and bind are out of date. While security is responsibility of user providing latest (at the time of build at least) would be good practice.

Also vaguely related: "Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers." quay/clair#12.

[smebberson]

Good idea! Where do you see we'll add this? At the top of the first RUN statement?

[matthewvalimaki]

@smebberson first run sounds right place to me. On all images of course.
On Apr 10, 2016 7:34 PM, "Scott Mebberson" [email protected] wrote:

Good idea! Where do you see we'll add this? At the top of the first RUN
statement?

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#39 (comment)

[smebberson]

@matthewvalimaki, damn, I missed this in my recent updates. I should have added it in while I was there. Do you think a minor or patch release is okay for this addition?

[matthewvalimaki]

@smebberson I think it's fine if you just push apk --update upgrade to master and they'll be in images whenever you just make a new release.

[smebberson]

@matthewvalimaki, I've made a bunch of progress on this. All of the new images have this, you can see the CHANGELOG for notes accordingly. I'll keep this open for now.