Received: from mail.schafweide.org (mail.schafweide.org [IPv6:2a03:4000:6:b127::1])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id F0DDD225C51
	for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Sep 2024 19:35:55 +0000 (UTC)
Received: from [IPV6:2a00:c380:e002:8240:7c8e:7022:2715:9fc] (unknown [IPv6:2a00:c380:e002:8240:7c8e:7022:2715:9fc])
	by mail.schafweide.org (Postfix) with ESMTPSA id DCD65E4D9B50
	for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Sep 2024 21:35:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schafweide.org;
	s=2007; t=1726774553;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=yVM2EQkEz1L5srFEUATXncKiYxQ10JZVTilN52dOjgA=;
	b=GnvEhFByfGDS8nG4g1PPGn+uTYT5K5UBtvcjaSTx4dhry89kRDlrvAV3UjsHAGorPpQz6p
	m7j1OUUW5PyumMUoDp3RFSztGUWWEi7cJxVPQdu2CO7VdE8UiMHTAQoVNrHgTUSt89gSxt
	zZQbjs7lC7S0g++M8jbfKMKfSZI6Adk=
Message-ID: <42ae97cb-f16a-4eeb-a519-d40de33bb631@schafweide.org>
Date: Thu, 19 Sep 2024 21:35:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Discussion - Is Alpine Linux still a more secure Linux
 Distribution compared to its compatriots
To: ~alpine/users@lists.alpinelinux.org
References: <O74GIpz--B-9@tuta.io> <D4ACWC7305LF.2DM29SENIP4GF@riseup.net>
 <CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com>
Content-Language: de-DE, en-US
From: Bjoern Franke <bjo@schafweide.org>
In-Reply-To: <CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

> One datapoint from my $dayjob... Alpine is used for container
> instances because it has a small footprint, and it is best-in-class
> with respect to vulnerability scanner results. I.e., it has the fewest
> findings from known exploits. This is compared with other popular
> distros like Debian and Ubuntu.
> 

I'm surprised that this aspect wasn't mentioned earlier. Some time ago 
at $dayjob we compared the Nextcloud Docker images, the Debian based one 
and the Alpine based one, with trivy. I don't recall the numbers in 
detail any more, but while trivy found dozens of vulnerabilities in the 
Debian image, there were nearly 0 in the Alpine image. Several 
vulnerabilities didn't even have Debian Security Advisories assigned.

Regards
Bjoern