Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not installing security updates is bad advice #614

Merged
merged 1 commit into from
Mar 24, 2021
Merged

Not installing security updates is bad advice #614

merged 1 commit into from
Mar 24, 2021

Conversation

itamarst
Copy link
Contributor

@itamarst itamarst commented Mar 24, 2021
edited
Loading

This is obviously bad advice: security updates are important, and should be installed.

For more detailed explanation of why installing security updates in Docker builds is a good idea (I still can't believe I have to write this sentence, or had to write this article...), see https://pythonspeed.com/articles/security-updates-in-docker/

@itamarst
Not installing security updates is bad advice
e90ba31 
This is obviously bad advice: security updates are important, and should be installed.

For more detailed explanation of why advice against this is bad, see https://pythonspeed.com/articles/security-updates-in-docker/
@jmanico jmanico merged commit 6374632 into OWASP:master Mar 24, 2021
@jmanico
Copy link
Member

jmanico commented Mar 24, 2021

Good call, what a scary mistake on our end, my apologies

@itamarst itamarst mentioned this pull request Mar 25, 2021
Merged
@itamarst
Copy link
Contributor Author

Thank you!

@itamarst itamarst mentioned this pull request Mar 25, 2021
Closed
@wwuck wwuck mentioned this pull request Apr 27, 2021
Closed
@chadlwilson
Copy link

Thanks for this @itamarst - couldn't agree more. Technically the line Ensure the OS packages versions are pinned is potentially contradictory too; depending on how you construct your Dockerfile and order of install vs upgrade.

A number of (all?) distros only allow pinning to a specific build rather than allowing ~ major.minor expressions; which would have the same effect of preventing patches for security to come through, to my knowledge?

@realHorst realHorst mentioned this pull request Aug 13, 2021
Open
@hutchic hutchic mentioned this pull request Aug 31, 2021
Merged
@wwuck wwuck mentioned this pull request Sep 20, 2021
Open
@ian-noaa ian-noaa mentioned this pull request Jun 14, 2022
Merged
hotsun pushed a commit to aws-samples/comfyui-on-amazon-sagemaker that referenced this pull request May 16, 2024
@khchan123
Install security updates by adding apt-get upgrade to Dockerfile
6fa800c 
ref:
 - docker/docs#12571
 - OWASP/CheatSheetSeries#614
 - https://pythonspeed.com/articles/security-updates-in-docker/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmanico jmanico jmanico approved these changes

@mackowski mackowski Awaiting requested review from mackowski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@itamarst @jmanico @chadlwilson