Hosting End-Of-Life Fedora Base images?
Przemek Klosowski
przemek.klosowski at nist.gov
Mon Jul 20 19:14:42 UTC 2015
On 07/20/2015 02:52 PM, Adam Miller wrote:
> On Mon, Jul 20, 2015 at 1:46 PM, Przemek Klosowski
> <przemek.klosowski at nist.gov> wrote:
>> Modern package-based systems like Fedora achieved a practical "patch early
>> and often" setup with responsive security posture, but they are subject to
>> creeping subsystem incompatibilities. Containers deliver integrated systems
>> that address very well the initial requirements, but I haven't seen a good
>> story on how they respond to dynamical security demands. So far their track
>> record is not so good ( "over 30% of official images in Docker Hub contain
>> high priority security vulnerabilities",
>> http://www.infoq.com/news/2015/05/Docker-Image-Vulnerabilities ).
> I'm mostly interested in the general consensus behind if we should
> make an effort to ship previously EOL'd Fedora releases. If you were
> aiming to make an argument for or against it then my apologies and I
> would like to request clarification because I misunderstood and am
> unsure if you were for or against.
I think it is a bad idea because it essentially sanctions choosing
obsolete setups with unknown security and operational properties.
I understand baking a container from fresh ingredients---yes, it'll be
subject to dynamic security decay, but at least it'll be good in the
beginning.
In contrast, a containerized obsolete system should be basically
considered shot right from the moment it was created, and then it will
get worse as the time goes on.
I think we should discourage this on principle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150720/1dedb201/attachment.html>
More information about the devel
mailing list