Hmm, if you mean whether I use the same locally and on prod then noā¦ On prod I downgraded OTP to 24 due to the TLSv1.3 horror story I encountered and described in other thread. Elixir is the same (1.16.2) though, although I guess that doesnāt matter much in the case at hand
All the functionality related to CA checks and loading was introduced starting from OTP-25, you can always fetch them manually from the system.
Iām not 100% sure with what downgrading of OTP helps, but if there are specific algorithms that have holes in them, you can always disable them by configuration.
The downgrade was done this morning due to OTP bug introduced in 25 and passed over to 26, which caused critical functionality (email) to suddenly stop working after applying security updates to mail server (sic!)
I see - would you suggest any āproperā way of doing this?
It would but there are no builder images for 26.2.5+ available yet. While I could build my own, setting this up is not a five minutes job. And also Iād rather prefer a āfail-safeā (like working with 24, 25, 26) solution in case Iād have to quickly downgrade again.
More specifically what I want to have is to get rid of the old
Reason: ~c"Option {verify, verify_peer} and cacertfile/cacerts is missing"
warning. While not a critical problem and I lived with it for some time Iād rather have it checked-off while I am still at it.
While I understand this, I am also not very positive that you change versions everyday. I just now noticed that docker builds from hex do not come with specific OTP versions, which is not the greatest thing now that I think about it.
Personally I would take a look at the scripts for building these images and customize one of them for specific elixir and OTP version. I would even be inclined to help you make this into an official feature, as I use docker for almost all of my deploys.
I get your concerns but they do seem a bit paranoid. An OTP 26.2.5 image will be up soon enough (if it isnāt already) and thatās the end of the conundrum.
Or indeed make your own Erlang + Elixir Dockerfile as @D4no0 said. Should be maximum 1h of work and you can make the versions configurable.
New OTP versions come with a lot of nice things, JIT and further optimizations included, so staying on old versions should be reserved only in very constrained conditions with very specific requirements IMO.
And thatās the easiest way and smallest image sizes. I did custom images before but those are leaner and faster to build ārunnerā images.
Probably yes so thatās an option to wait a (probably only) a little longer, butā¦
I do agree. Thatās why I had everything running on 26 already for some time. But I got bitten by this very nastily so even if 26.2.5 pops up soon (which I think it will) I shall still be having a very close eye on how it behaves and whether the fix really fixed things and not introduced other problems, etc.
But right, maybe I am a bit too impatient and just wanted to fix all things around this area right away so that I donāt have to return to it later
Hex bob does create and host precompiled erlang and elixir packages to download (e.g. used by asdf) for local installations. Thatās the list you looked at. It also builds docker images to much greater granularity, which are hosted on docker hub.
Great to know, thanks! I always thought that hexpm has a custom registry where it hosts docker images. If both are hosted on dockerhub then what is the value of having 2 separate repositories?
