v4 image claims to be Debian Bullseye but is actually Bookworm

[thockin]

$ docker run -ti --entrypoint "" gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3 cat /etc/debian_version
11.7

$ docker run -ti --entrypoint "" registry.k8s.io/build-image/debian-base:bookworm-v1.0.0 cat /etc/debian_version
12.0

$ docker run -ti --entrypoint "" gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3 cat /etc/os-release
PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="11"
VERSION="Debian GNU/Linux 11 (bullseye)"
HOME_URL="https://github.com/GoogleContainerTools/distroless"
SUPPORT_URL="https://github.com/GoogleContainerTools/distroless/blob/master/README.md"
BUG_REPORT_URL="https://github.com/GoogleContainerTools/distroless/issues/new"

[renxunsaky]

Thanks for creating this issue.
So, the problem is from this line as said in the closed issue #773
https://github.com/kubernetes/git-sync/blob/v4.0.0-rc3/Dockerfile.in#L107C13-L107C25

Maybe we should be more selective while copying the files.

[renxunsaky]

I think we should not use the distroless/base image as intermediate one until there is bookworm version. Because when we install libraries inside this distroless/base, it will install libraries, like openssh, libssl1.1 etc. for the OS 11. In that case, it retrieves the vulnerabilities of the version 11. Then these libraries are copied from the intermediate image to the final one.

[thockin]

distroless serves the purpose of populating things like /etc and /dev and ca-certificates.

To drop distroless we either do that all ourselves or we find a workable replacement. chainguard's static may fit the bill, but it purports to be alpine instead of debian, so I'm not sure it will be as easy as I'd like.

Out of time for today, but this is clearly a v4 release blocker.