[
https://issues.apache.org/jira/browse/SOLR-16523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641910#comment-17641910
]
Jan Høydahl commented on SOLR-16523:
------------------------------------
My opinion on security scans is that you'll never pass them for most docker
images. They serve as a gauge for how bad things are, and the result changes
weekly. A human needs to discern which of them are exploitable and needs a
patch/upgrade and which of them you just have to accept in the name of
stability. I.e. you want to stay on a LTS Linux distro for stability but then
you are conservative on upgrading all packages to latest.
As for gosu, if we're going to remove it, we'd need to deprecate it and remove
it from next major version so that users of our image who currently use gosu in
their init-scripts.
We must assume that we have users that utilize gosu today, e.g. by initializing
things as root and then switch back to 'solr' user.
> gosu binary version
> -------------------
>
> Key: SOLR-16523
> URL: https://issues.apache.org/jira/browse/SOLR-16523
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Docker
> Affects Versions: 8.11.2
> Reporter: Ritchie Gu
> Assignee: Jan Høydahl
> Priority: Major
>
> I noticed that as part of the process, it's installing gosu and few other
> packages
> [https://github.com/apache/solr-docker/blob/main/8.11-slim/Dockerfile#L20,]
> The version of gosu gets installed is a bit of old, and do you have any plan
> to install newer version gosu in?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
