X-Original-To: alpine-user@mail.alpinelinux.org Delivered-To: alpine-user@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id B19A4DC8655 for ; Mon, 4 Apr 2016 17:41:50 +0000 (UTC) Received: from newmail.tetrasec.net (unknown [74.117.189.117]) by mail.alpinelinux.org (Postfix) with ESMTP id 87FFCDC02A0 for ; Mon, 4 Apr 2016 17:41:50 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (229.63.200.37.customer.cdi.no [37.200.63.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by newmail.tetrasec.net (Postfix) with ESMTPSA id 63E1C5A0818; Mon, 4 Apr 2016 17:41:49 +0000 (GMT) Date: Mon, 4 Apr 2016 19:41:44 +0200 From: Natanael Copa To: Rodrigo Campos Cc: alpine-user@lists.alpinelinux.org Subject: Re: [alpine-user] How are security updates handled Message-ID: <20160404194144.27975e09@ncopa-desktop.alpinelinux.org> In-Reply-To: References: X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.28; x86_64-alpine-linux-musl) X-Mailinglist: alpine-user Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Hi, This fell between the cracks. sorry. On Wed, 23 Mar 2016 14:55:29 -0300 Rodrigo Campos wrote: > Hi, > > I'm interested in using alpine linux for docker containers, but I'm > not sure how security updates to packages are managed. I read the site > and wiki and didn't find it (but I might have missed something). We monitor mailing lists, etc and report unfixed issues in a private tracker. Once an issue if fixed we make it public. > I see usually alpine linux releases are supported for more or less two > years, although v3.3 seems to be 1.5 years[1]. Is it expected that > new releases are supported for 1.5 years? Or is there any written > policy that I can check and didn't find? We do releases every May and November and support that for 2 years. That is the idea at least. > Also, how are security updates handled to any X package in an some > supported alpine linux release? If some package is not supported > upstream anymore, it's up to the alpine linux maintainer of the > package to back port the fix to the supported alpine linux release? In theory we do backports if upstream drops support. This works mostly but in some cases it has not been possible. For example qemu and golang does not support older versions and we have not been able to provide security fixes for some issues. This was the triggering factor of the "community" repo, where we only support edge and current stable release. In other words for 6 months after branching. After that it is "best-effort". > Is there an alpine linux security team? We don't have any (official) security team, but the job gets mostly done. Critical issues are normally fixed relatively early. > Or how is this handled? And again, is there any written policy about > this? :) No written policy, more than the mentioned releases wiki page. We have need for help with improving the documentation. Sorry. > > > > Thanks a lot, > Rodrigo > > > [1]: http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases > > > --- > Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org > Help: alpine-user+help@lists.alpinelinux.org > --- > --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---