Hi, The project produces official Docker images for every release, including our own bugfix releases. These images are based on an OpenJDK base image, which is again based on a Linux base image. Once in a while, when there is a serious bugfix in either Linux or Java the Solr image gets re-built by Docker.
I wanted to invite to a discussion on how you as users handle security patching in your Docker/k8s production environments. Do you: A) just pull the image once and let it sit there until next upgrade? B) pin the exact version, e.g. solr:8.11.1 and pull routinely for Linux / JDK updates? C) pin the minor version only, e.g. solr:8.1 and pull regularly for any new patch releases D) pin the major oversion only, e.g. solr:8 and pull regularly for any new minor releases E) make a custom Dockerfile FROM solr:8 and add "RUN apt upgrade" or similar to stay up to date? How often? F) Neither of the above. Please share your best practice This thread was triggered from https://issues.apache.org/jira/browse/SOLR-15967, which is really about RPM but strayed into security patching in general. Thanks, Jan
