I was reviewing the security vulnerabilities of my production images, specifically the difference between the latest default Dockerfile configuration generated with mix phx.gen.release --docker, bullseye-20240423-slim
What I’m doing in the meantime is just building with the previous beta version of noble, and then copy and run the app with the official bare noble image
I was surprised to see an ubuntu release without any vulnerabilities at all (even with low or unspecified severity)… But if we look now, it’s just as the usual same “vulnerable” packages… I guess the analyzing tool (Docker Scout) had just not yet finished at that time…
I usually use Alpine images (even for other stacks than Elixir/Phoenix) and it’s just running fine… Any reason why going with Ubuntu instead of Alpine?
Thanks. Quite curious and informative. But in any case OTP 27 is due pretty soon (May 2024 IIRC) so it won’t matter.
It’s a shame that an effort to disentangle the legacy horrible mess that is libc leads to discovering how many pieces of software rely on its leaky abstractions but oh well, real software requires compromises.
I should’ve mentioned the vulnerability arc was just what led me to the issue that the registry is missing the latest images. Classic X-Y problem, my bad.
You’re 100% correct and I also suspected Scout hadn’t finished its scans, which is why I wanted to build and scan it locally to see what was going on.
This is the noble-20240423 hub image now but Scout is actually behind on reporting some of the latest glibc CVEs that have already been patched 4 days ago and awaiting repo updates to v2.40