PSA: launcher.gcr.io is not being maintained

So you might have cut and paste some code from somewhere, maybe an ‘from launcher.gcr.io/debian9’ kind of thing. That’s a good upstream, right? They are maintaining it with a strong CI? When suddenly you read

Hmm. Double whammy. You have been relying since 2018-07-18 on something which is not being updated (and daily rebuilding your tool, running SAST, etc… and never noticed. Shame on you!). But also, the recommended replacement requires GCP credentials which you don’t have in your OSS build environment?

Well at least now you know, and you can probably replace this with debian/stretch and be happy (the Dockerhub one is maintained by the Debian team).

I, of course, would never have made this mistake, and for sure if I had I would have noticed the upstream was never changing in that time 🙂


Posted

in

by

Comments

3 Responses to “PSA: launcher.gcr.io is not being maintained”

  1. Kevin Nisbet

    Just on the topic of Debian, we’ve been switching to using Ubuntu as our base for non bare containers. In August when I did testing, I wasn’t able to find any debian release that would have a completely clean scan result with clair, and even if not exploitable, users take pause when they look at quay.io and see “HIGH” rated vulnerabilities listed.

    The ubuntu containers are also noticeably smaller than our debian containers. https://blog.ubuntu.com/2018/07/09/minimal-ubuntu-released

    Not saying this is for everyone, just sharing that we decided to make this change.

    1. db

      Good point, I use the ubuntu one as well for exactly the same reasons.

      Here its used for build only, and the final is ‘distroless’. My pull request is not taken yet, but the original:

      https://github.com/fluent/fluent-bit/blob/master/Dockerfile

      shows. I made all the changes to make it distroless but missed that the base one was no longer maintained.

      For those who haven’t tried distroless, give it a whirl. and make it read-only of course 🙂

    2. db

      I also use clair and enjoy its output 🙂
      At first I was excited about Alpine since it was clean. Then I realised there is no maintained list of CVE for alpine, so its always ‘clean’ as a false negative!

Leave a Reply to Kevin Nisbet Cancel reply

Your email address will not be published. Required fields are marked *