#6170: respin f21 Docker Base image for security update
Fedora Release Engineering
rel-eng at fedoraproject.org
Thu May 14 16:41:14 UTC 2015
#6170: respin f21 Docker Base image for security update
------------------------------+-----------------------
Reporter: walters | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 22 Final | Component: other
Resolution: | Keywords:
Blocked By: | Blocking:
------------------------------+-----------------------
Comment (by walters):
So...there may not be an emergency here, although I want to understand
*why* that is.
{{{
https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Docker/x86_64
/Fedora-Docker-Base-20141203-21.x86_64.tar.gz
curl
https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Docker/x86_64
/Fedora-Docker-Base-20141203-21.x86_64.tar.gz | docker load
docker run --rm -ti Fedora-Docker-Base-20141203-21.x86_64 grep root
/etc/passwd
root:x:0:0:root:/root:/bin/bash
}}}
So that image is *not* vulnerable. Yet if you go to the f21 spin-
kickstarts branch:
https://git.fedorahosted.org/cgit/spin-kickstarts.git/log/?h=f21
The click on the parent of my security fix, then tree and look at the
kickstart, I see:
https://git.fedorahosted.org/cgit/spin-kickstarts.git/tree/fedora-docker-
base.ks?h=f21&id=843b6a344e30c2cc4b4c5261849c161c725f5965#n9
And there's nothing locking it.
Dennis, is there a way to know which Koji task (that would have a link to
the kickstart) was used to generate that image? I'm not seeing a way to
query this in the web UI at least.
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/6170#comment:10>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
More information about the rel-eng
mailing list