Received: from mail.nadia.moe (nadia.moe [88.99.146.130]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTP id 4ABB2225DCD for <~alpine/users@lists.alpinelinux.org>; Tue, 19 Nov 2024 15:32:50 +0000 (UTC) Message-ID: <248ffd64e14d87a42d686c73b3293f607aa22571.camel@santalla.io> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=santalla.io; s=dkim; t=1732030368; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=AldBsB/St2Jt1SJKMpUnjrLnyyJDsJ4FQlSya3NfssU=; b=b5hqwKzvx9OYgvCVaUImVgOOe8tBfRpmgRNqUmwZ5tBh5jr7QidZ7Kf8ZtUFiC51Pwvyu7 EeHPBKxPBrvYDIQrxIFyEWD2w+KfsYv/ZhBRwj9AfRO9lQv1fzh9cAlEbbisqmZGiYD8FS p7lDR9uqlHDx13AUYi6/iXOGAIZR9Gvq6OfAyXp06ITUeFKzRTxUtBCfzx+HlJRGZASc3g DrKtXc5CisZPPs+TLus9BodblaZaksZoXk+cjwQja30LzDUllU7ynyhtALWXnY/ZFon1DJ faBSE4aHQCsOvfcok/fChq2+S+0ORdgYXvh3/lHkvLf3A52w2AABEyNqUC0gKw== Authentication-Results: mail.nadia.moe; auth=pass smtp.mailfrom=nadia@santalla.io Subject: Re: Multiarch container builds, version pinning, and package retention policies are fundamentally incompatible From: Nadia Santalla To: fossdd , Jakub Jirutka Cc: ~alpine/users@lists.alpinelinux.org Date: Tue, 19 Nov 2024 16:32:47 +0100 In-Reply-To: References: Autocrypt: addr=nadia@santalla.io; prefer-encrypt=mutual; keydata=mDMEZqa8DhYJKwYBBAHaRw8BAQdA8Zuhl961yt0tiX3JhNa0RPWnPElwryswsXdaPA4jy P+0Ik5hZGlhIFNhbnRhbGxhIDxuYWRpYUBzYW50YWxsYS5pbz6ImQQTFgoAQRYhBB7yiOSB3lc3+s U7EhiwRbwJ6bUqBQJmprwOAhsDBQkSzAMABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEBi wRbwJ6bUqNo4BAJzbmHsX/YI0osEG15Y7pZ6Erfr5XQXGiRxZX+8MBtatAQCf6ZzYgTnLyr3LGu+v 3kP23iLzHClFL0quxwazXQipCg== Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Spamd-Bar: --- Hi, thanks againf or your insights! Answering inline below: On Tue, 2024-11-19 at 16:13 +0100, fossdd wrote: > That's why we have stable releases. Stable releases only contain > security (and bug) fixes.=20 > I never experienced such behaviour, and I do not agree to it. For > example, pinning versions does not fix security issues. I think there might be a misunderstanding here. We don't keep pinned versions forever, or for a long time. The container ecosystem has toolin that aids with that. An example of this can be: https://github.com/roobre/renovate-alpine/pull/13 I think getting updates like this is highly beneficial for containers, for a number of reasons: - Security. Maintainers *notice* when packages they depend on release updates and security fixes, and can react by updating and releasing a new version of their image containing the fix. - Testing. Some versions break stuff. Receiving updates in PRs allows for a testing suite to run and ensure the updated dependency still works. This also applies to new alpine releases, which may contain breaking changes. - Reproducibility. What I said earlier, the same container image will contain the same version. If a maintainer needs to reproduce a problem that happened one version ago, they can. > This also applies to every other Alpine installation, even > containers. > You still have linked libraries in Alpine containers, which WILL > break. I think this is reasonably understood in the container world, while definitely not on desktop. It is possible that I let versions drift, or that two packages depend on one another. If that happens, I will adapt my rules so the bot bumps those dependencies together. If something breaks badly, the test suite (or even the build) will fail and I'll know that I need to update the base image first. That's what I think that retaining old versions for a while (on a dedicated repo potentially, to save costs and to avoid unaware users using it) can likely work. There are definitely tradeoffs but I don't think it's something that people who work with containers daily cannot expect or work around, with the benefits outweighting that effort. - N