Mail archive

Re: [alpine-user] How are security updates handled

From: Rodrigo Campos <>
Date: Mon, 4 Apr 2016 15:07:57 -0300

On Mon, Apr 4, 2016 at 2:41 PM, Natanael Copa <> wrote:
> Hi,
> This fell between the cracks. sorry.
> On Wed, 23 Mar 2016 14:55:29 -0300
> Rodrigo Campos <> wrote:
>> Hi,
>> I'm interested in using alpine linux for docker containers, but I'm
>> not sure how security updates to packages are managed. I read the site
>> and wiki and didn't find it (but I might have missed something).
> We monitor mailing lists, etc and report unfixed issues in a private
> tracker. Once an issue if fixed we make it public.

It is reported to the package maintainer in alpine? Sorry, I'm not sure I follow

>> I see usually alpine linux releases are supported for more or less two
>> years, although v3.3 seems to be 1.5 years[1]. Is it expected that
>> new releases are supported for 1.5 years? Or is there any written
>> policy that I can check and didn't find?
> We do releases every May and November and support that for 2 years.
> That is the idea at least.
>> Also, how are security updates handled to any X package in an some
>> supported alpine linux release? If some package is not supported
>> upstream anymore, it's up to the alpine linux maintainer of the
>> package to back port the fix to the supported alpine linux release?
> In theory we do backports if upstream drops support. This works mostly
> but in some cases it has not been possible. For example qemu and golang
> does not support older versions and we have not been able to provide
> security fixes for some issues. This was the triggering factor of the
> "community" repo, where we only support edge and current stable
> release. In other words for 6 months after branching. After that it is
> "best-effort".

After 6 months it is best effort on the community repo, right? And
during those 6 months, is up to the package maintainer to do the
security fix? And if the package maintainer is unresponsive?

And the "main" repo is supported for 2 years? Although I'm not sure if
it is like this, because qemu seems to be in the "main" repository

>> Is there an alpine linux security team?
> We don't have any (official) security team, but the job gets mostly
> done. Critical issues are normally fixed relatively early.
>> Or how is this handled? And again, is there any written policy about
>> this? :)
> No written policy, more than the mentioned releases wiki page. We have
> need for help with improving the documentation.
> Sorry.

Thanks a lot! :-)

Received on Mon Apr 04 2016 - 15:07:57 UTC