Saw this on twitter yesterday and figured it was worth sharing:
Obviously he’s talking about helm, but any package manager counts. Worth keeping in mind for those who deploy charms, and for us who maintain them.
2 Likes
Interesting read, thanks for sharing.
I think a lot of this is very much something that Canonical cares deeply about. The experience we have tracking CVEs in both the Ubuntu Archive and Snaps brings us to do the same effort around containers being used in deployments. That’s also why traditional charms install software from archives, since that allows you to get the latest security patches.
We’ve been talking about ways to improve that process more generally and provide mechanisms to build images the way we build other archive artifacts, including easy rebuilds when security vulnerabilites are found, and scanning of known packages. (You’re software was built with package foo-1.24 and that has a known vulnerability.)
Yeah, adn the snap scanning and alerting for old dependencies and stuff is very useful for those of us who don’t track it too closely.
Just to be clear I wasn’t posting this with any great aim at Juju, but for charm developers its worth bearing in mind because containers can quickly get out of date and they aren’t necessarily maintained by you, so there’s a upstream/downstream tracking situation going on there.