Container Image Updates

[bowlerma]

Hello,

It appears that the container images are not updated as frequently as the previous Zulu container images in order to pick up security from the underlying OS container image, e.g. Ubuntu.

Do you have a policy for how frequently the container images will be updated? Is it just when a new Java PSU is released, or will they be updated more frequently?

Also, is there any intention to provide container images for earlier PSUs for a given Java release, or will you only provide a container image for the latest PSU?

Regards,

Mark

[brunoborges]

Hi @bowlerma,

For now we will only provide tags for the latest PSU. If you want to use a specific JDK version, you can use the Linux package repository to stick to a JDK version by using apt-get/yum in your Dockerfile. All PSUs are available through MS's Linux repos, and this is how we install the JDK in our base images.

It is also important to note that any Dockerfile that consumes our images should always perform an apt-get/yum update/upgrade. The moment a developer builds an image FROM our base image, the OS will freeze in time and not receive updates, regardless of whether our base image is kept up to date or not. Therefore, I am not convinced that us constantly updating our base image would help, as it could potentially give a false sense of security. Consumers should ensure that their final images should be kept up to date in production.

[bowlerma]

ok, thank you for the info.

[brunoborges]

I've created a documentation issue to have this well described in our docs.

Thanks for the feedback!

Related: #125