Hello, and thank you for Alpine!

I was hoping to get some clarification on Alpine’s package retention and update policies. According to https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases, stable releases are maintained for about 2 years. However, I haven’t been able to find any policy or guidance on package version changes _within_ a release. What I do know (although it doesn’t seem to be written down on the wiki) is that older versions of a package are removed from the server when a new version is available for that release. It seems a bit counterintuitive to allow package pinning in apk if only the latest version is available from the package server.

The reason I bring this up is my team is using https://github.com/hadolint/hadolint to lint our Dockerfiles. hadolint’s rules requires pinned package versions, which means we’re constantly manually rolling our Dockerfiles whenever a package is updated. We’d like to avoid doing this and have two questions about the package retention and upgrade schedule (apologies if they’ve been answered elsewhere):

a) Is it possible to retain supserseded packages on the package server, to facilitate apk package pinning?
b) If, instead, we wanted to follow the advice in https://github.com/hadolint/hadolint/issues/204#issuecomment-394103224 and use ~= to soft-pin our dependencies, what are the rules around a release’s package update schedule? Can we rely on a release to never bump the major and minor versions of a package?

Thanks for your answers (and the software!)
- Mike


----
Ableton AG
Schoenhauser Allee 6-7
10119 Berlin, Germany

T: +49 30 288763-0
F: +49 30 288763-11

Management Board/Vorstand: Gerhard Behles, Jan Bohl
Chair of the Supervisory Board/Vorsitzender des Aufsichtsrats: Uwe Struck
Registered Office/Sitz: Berlin, Amtsgericht Berlin-Charlottenburg, HRB 72838