Mail archive

Re: [alpine-user] How are security updates handled

From: Natanael Copa <>
Date: Mon, 4 Apr 2016 19:41:44 +0200


This fell between the cracks. sorry.

On Wed, 23 Mar 2016 14:55:29 -0300
Rodrigo Campos <> wrote:

> Hi,
> I'm interested in using alpine linux for docker containers, but I'm
> not sure how security updates to packages are managed. I read the site
> and wiki and didn't find it (but I might have missed something).

We monitor mailing lists, etc and report unfixed issues in a private
tracker. Once an issue if fixed we make it public.
> I see usually alpine linux releases are supported for more or less two
> years, although v3.3 seems to be 1.5 years[1]. Is it expected that
> new releases are supported for 1.5 years? Or is there any written
> policy that I can check and didn't find?

We do releases every May and November and support that for 2 years.
That is the idea at least.

> Also, how are security updates handled to any X package in an some
> supported alpine linux release? If some package is not supported
> upstream anymore, it's up to the alpine linux maintainer of the
> package to back port the fix to the supported alpine linux release?

In theory we do backports if upstream drops support. This works mostly
but in some cases it has not been possible. For example qemu and golang
does not support older versions and we have not been able to provide
security fixes for some issues. This was the triggering factor of the
"community" repo, where we only support edge and current stable
release. In other words for 6 months after branching. After that it is

> Is there an alpine linux security team?

We don't have any (official) security team, but the job gets mostly
done. Critical issues are normally fixed relatively early.

> Or how is this handled? And again, is there any written policy about
> this? :)

No written policy, more than the mentioned releases wiki page. We have
need for help with improving the documentation.


> Thanks a lot,
> Rodrigo
> [1]:
> ---
> Unsubscribe:
> Help:
> ---

Received on Mon Apr 04 2016 - 19:41:44 UTC