[
https://issues.apache.org/jira/browse/SOLR-15967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486275#comment-17486275
]
Martin Häcker commented on SOLR-15967:
--------------------------------------
[~janhoy] you do realize that 7 days is a really long time for an open issue to
be exploited?
Also, the base images you are referring to may not do what you think they do.
From the docs of the Debian image:
[https://github.com/debuerreotype/docker-debian-artifacts]
??We strive to publish updated builds at least once a month (~30 days), but
will also rebuild earlier if there is a major or minor Debian release _or_ if
there is a severe security issue that warrants doing so.??
??(We try to avoid publishing _too_ frequently, because the downstream rebuild
effect every time we do is absolutely immense.)??
They explicitly will not rebuild for every security issue but only for certain
major ones. Also they explicitly strive for a low release frequency to prevent
downstream rebuilds.
The OpenJDK project (actually maintained by docker afaik) doesn't even specify
any policy regarding security updates:
https://github.com/docker-library/docs/tree/master/openjdk
Updates happen around once every half month if I read that correctly:
[https://github.com/docker-library/official-images/commits/master/library/openjdk]
[The official docker library has docs have this to
say|[https://github.com/docker-library/faq#image-building]:]
??We strive to publish updated images at least monthly for Debian and Ubuntu.
We also rebuild earlier if there is a critical security need, e.g.
[docker-library/official-images#2171|https://github.com/docker-library/official-images/issues/2171].
Many Official Images are maintained by the community or their respective
upstream projects, like Alpine and Oracle Linux, and are subject to their own
maintenance schedule. These refreshed base images also means that any other
image in the Official Images program that is {{FROM}} them will also be rebuilt
(as described in [the project {{README.md}}
file|https://github.com/docker-library/official-images#library-definition-files]).??
??It is up to individual users to determine whether not a CVE applies to how
you are running your service and is beyond the scope of the FAQ.??
I realise that we're getting a bit off topic here, but really: where do you
read that you get any guarantees for timely security fixes from any of these
upstream projects? Where did you get that from? As far as I can tell it is all
'best effort' with a tendency to minimise updates to minimise dependent
rebuilds. Nowhere can I see mechanisms that trigger image rebuilds whenever
(security) updates become available.
So where do you take your guidance from that it's good enough to update when
your base image updates?
> Add rpm repo for red hat based distros
> --------------------------------------
>
> Key: SOLR-15967
> URL: https://issues.apache.org/jira/browse/SOLR-15967
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
> Affects Versions: 8.11.1
> Environment: # uname -a
> Linux my.host 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022
> x86_64 x86_64 x86_64 GNU/Linux
> Reporter: Martin Häcker
> Priority: Major
> Labels: centos, centos7, debian, fedora, ubuntu
> Attachments: Skjermbilde 2022-02-01 kl. 15.17.02.png
>
>
> Hi there,
> it's surprisingly hard to install Solr in a way where I can guarantee to
> automatically get updates, especially security updates in a reliable manner,
> as well as get a documented way to start / run Solr on my distro of choice.
> What I am really looking for is an official rpm repository (and probably a
> deb repo too) that I can add to my package manager and then install a package
> that will give me all the updates I want, as well as starts the database with
> a systemd file that is known good.
> I in particular am looking for a centos 7 repository.
> I think, that this would make installation of Solr so much easier.
> What do you say?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
