[
https://issues.apache.org/jira/browse/SOLR-15967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485836#comment-17485836
]
Martin Häcker commented on SOLR-15967:
--------------------------------------
[~janhoy]: I am slightly worried by your response. The problem is that neither
the base image (Debian), nor the solr image is guaranteed to update as soon as
security bugs are discoverd. So every library that is installed in that image
(and that is used somehow by solr) is a liability. I understand that especially
java software is very known for just vendorizing the world, thus making os
level updates of packages less effective, but that is not a good reason to nix
them completely.
Rebuilding images nightly is currently the only way to get security updates
into images in a reliable way - that I know of - and a stable base system (e.g.
Debian) guarantees that updates don't break the application - just as they do
on normal production boxes.
I do recognise that the bad advice to not update docker images is still out
there on the net in many places, but it is bad advice and should not be
followed. Running code without security updates applied regularly (usually
daily) is a bad idea and a liability that should be avoided.
Let me rephrase your sentence to a different way of thinking: But what is the
point with immutable container images if you can't apply security updates
regularly? Some of your apps are bound to be hacked one day due to an a missing
well tested security upgrade.
> Add rpm repo for red hat based distros
> --------------------------------------
>
> Key: SOLR-15967
> URL: https://issues.apache.org/jira/browse/SOLR-15967
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
> Affects Versions: 8.11.1
> Environment: # uname -a
> Linux my.host 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022
> x86_64 x86_64 x86_64 GNU/Linux
> Reporter: Martin Häcker
> Priority: Major
> Labels: centos, centos7, debian, fedora, ubuntu
> Attachments: Skjermbilde 2022-02-01 kl. 15.17.02.png
>
>
> Hi there,
> it's surprisingly hard to install Solr in a way where I can guarantee to
> automatically get updates, especially security updates in a reliable manner,
> as well as get a documented way to start / run Solr on my distro of choice.
> What I am really looking for is an official rpm repository (and probably a
> deb repo too) that I can add to my package manager and then install a package
> that will give me all the updates I want, as well as starts the database with
> a systemd file that is known good.
> I in particular am looking for a centos 7 repository.
> I think, that this would make installation of Solr so much easier.
> What do you say?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
