Hi,
I'm interested in using alpine linux for docker containers, but I'm
not sure how security updates to packages are managed. I read the site
and wiki and didn't find it (but I might have missed something).
I see usually alpine linux releases are supported for more or less two
years, although v3.3 seems to be 1.5 years[1]. Is it expected that
new releases are supported for 1.5 years? Or is there any written
policy that I can check and didn't find?
Also, how are security updates handled to any X package in an some
supported alpine linux release? If some package is not supported
upstream anymore, it's up to the alpine linux maintainer of the
package to back port the fix to the supported alpine linux release? Is
there an alpine linux security team? Or how is this handled? And
again, is there any written policy about this? :)
Thanks a lot,
Rodrigo
[1]: http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---
Re: [alpine-user] Re: How are security updates handled
On Mon, Apr 4, 2016 at 12:12 PM, Rodrigo Campos
<rodrigo.campos@restorando.com> wrote:
> On Wed, Mar 23, 2016 at 2:55 PM, Rodrigo Campos> <rodrigo.campos@restorando.com> wrote:>> Hi,>>>> I'm interested in using alpine linux for docker containers, but I'm>> not sure how security updates to packages are managed. I read the site>> and wiki and didn't find it (but I might have missed something).>>>> I see usually alpine linux releases are supported for more or less two>> years, although v3.3 seems to be 1.5 years[1]. Is it expected that>> new releases are supported for 1.5 years? Or is there any written>> policy that I can check and didn't find?>>>> Also, how are security updates handled to any X package in an some>> supported alpine linux release? If some package is not supported>> upstream anymore, it's up to the alpine linux maintainer of the>> package to back port the fix to the supported alpine linux release? Is>> there an alpine linux security team? Or how is this handled? And>> again, is there any written policy about this? :)>> Ping?
It has been my experience with Alpine that getting answers from
knowledgeable people, much less the developers, is nearly impossible.
It's too bad, because in theory, this system has something to offer.
In practice, because of the communication issue, as well as problems
with the system, I have ceased to take it seriously. Your message is a
reminder to remove myself from their mailing list.
>>> ---> Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org> Help: alpine-user+help@lists.alpinelinux.org> --->
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---
[alpine-user] Re: How are security updates handled
On Wed, Mar 23, 2016 at 2:55 PM, Rodrigo Campos
<rodrigo.campos@restorando.com> wrote:
> Hi,>> I'm interested in using alpine linux for docker containers, but I'm> not sure how security updates to packages are managed. I read the site> and wiki and didn't find it (but I might have missed something).>> I see usually alpine linux releases are supported for more or less two> years, although v3.3 seems to be 1.5 years[1]. Is it expected that> new releases are supported for 1.5 years? Or is there any written> policy that I can check and didn't find?>> Also, how are security updates handled to any X package in an some> supported alpine linux release? If some package is not supported> upstream anymore, it's up to the alpine linux maintainer of the> package to back port the fix to the supported alpine linux release? Is> there an alpine linux security team? Or how is this handled? And> again, is there any written policy about this? :)
Ping?
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---
On Mon, Apr 4, 2016 at 2:41 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
> Hi,>> This fell between the cracks. sorry.>> On Wed, 23 Mar 2016 14:55:29 -0300> Rodrigo Campos <rodrigo.campos@restorando.com> wrote:>>> Hi,>>>> I'm interested in using alpine linux for docker containers, but I'm>> not sure how security updates to packages are managed. I read the site>> and wiki and didn't find it (but I might have missed something).>> We monitor mailing lists, etc and report unfixed issues in a private> tracker. Once an issue if fixed we make it public.
It is reported to the package maintainer in alpine? Sorry, I'm not sure I follow
>>> I see usually alpine linux releases are supported for more or less two>> years, although v3.3 seems to be 1.5 years[1]. Is it expected that>> new releases are supported for 1.5 years? Or is there any written>> policy that I can check and didn't find?>> We do releases every May and November and support that for 2 years.> That is the idea at least.>>> Also, how are security updates handled to any X package in an some>> supported alpine linux release? If some package is not supported>> upstream anymore, it's up to the alpine linux maintainer of the>> package to back port the fix to the supported alpine linux release?>> In theory we do backports if upstream drops support. This works mostly> but in some cases it has not been possible. For example qemu and golang> does not support older versions and we have not been able to provide> security fixes for some issues. This was the triggering factor of the> "community" repo, where we only support edge and current stable> release. In other words for 6 months after branching. After that it is> "best-effort".
After 6 months it is best effort on the community repo, right? And
during those 6 months, is up to the package maintainer to do the
security fix? And if the package maintainer is unresponsive?
And the "main" repo is supported for 2 years? Although I'm not sure if
it is like this, because qemu seems to be in the "main" repository
(https://pkgs.alpinelinux.org/packages?name=qemu%25&repo=all&arch=x86_64&maintainer=all
)
>>> Is there an alpine linux security team?>> We don't have any (official) security team, but the job gets mostly> done. Critical issues are normally fixed relatively early.>>> Or how is this handled? And again, is there any written policy about>> this? :)>> No written policy, more than the mentioned releases wiki page. We have> need for help with improving the documentation.>> Sorry.
Thanks a lot! :-)
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---
Hi,
This fell between the cracks. sorry.
On Wed, 23 Mar 2016 14:55:29 -0300
Rodrigo Campos <rodrigo.campos@restorando.com> wrote:
> Hi,> > I'm interested in using alpine linux for docker containers, but I'm> not sure how security updates to packages are managed. I read the site> and wiki and didn't find it (but I might have missed something).
We monitor mailing lists, etc and report unfixed issues in a private
tracker. Once an issue if fixed we make it public.
> I see usually alpine linux releases are supported for more or less two> years, although v3.3 seems to be 1.5 years[1]. Is it expected that> new releases are supported for 1.5 years? Or is there any written> policy that I can check and didn't find?
We do releases every May and November and support that for 2 years.
That is the idea at least.
> Also, how are security updates handled to any X package in an some> supported alpine linux release? If some package is not supported> upstream anymore, it's up to the alpine linux maintainer of the> package to back port the fix to the supported alpine linux release?
In theory we do backports if upstream drops support. This works mostly
but in some cases it has not been possible. For example qemu and golang
does not support older versions and we have not been able to provide
security fixes for some issues. This was the triggering factor of the
"community" repo, where we only support edge and current stable
release. In other words for 6 months after branching. After that it is
"best-effort".
> Is there an alpine linux security team?
We don't have any (official) security team, but the job gets mostly
done. Critical issues are normally fixed relatively early.
> Or how is this handled? And again, is there any written policy about> this? :)
No written policy, more than the mentioned releases wiki page. We have
need for help with improving the documentation.
Sorry.
> > > > Thanks a lot,> Rodrigo> > > [1]: http://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases> > > ---> Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org> Help: alpine-user+help@lists.alpinelinux.org> --->
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---