[itamarst]

Seems like the author is assuming the official images get security updates applied immediately. They don't. So you need to apply system package updates yourself, separately from updating the base image.

https://pythonspeed.com/articles/security-updates-in-docker/ has an example of a security update that was missing in the official Ubuntu base image, two weeks after Ubuntu released the updated package. I've also seen missing security updates in the Debian base images used for things like Python and OpenJDK official base images.

This means that you need to rebuild automatically yourself on a schedule (or as result of distro updates), e.g. https://pythonspeed.com/articles/docker-cache-insecure-image...

[terom]

The neat way to re-run a layer daily is to use a build arg:

  FROM debian
  
  ARG APT_UPDATE_DATE
  RUN apt-get update && apt-get upgrade -y

Then `docker build --build-arg APT_UPDATE_DATE=$(date +%Y%m%d)` will always re-run the `apt-get update` for the first build each day. You probably also want `--pull`.

[slimslenders]

I came across your article on security updates when I was researching this. Thanks for writing it - it was super helpful. One of the sub goals for us is to quantify the lag that you've observed here. We're also reviewing an automated check that would flag times when an apt upgrade would be material. This is very much based on your bad arguments 1 through 4.

[itamarst]

Cool, I would love to see some numbers! I know that some official images aren't updated for literally months (e.g. `centos`, even before the CentOS/RHEL decoupling), but others are more frequent.

[slimslenders]

will send when we've got some data. Had been wanting to reach out to you about an idea for an automated check anyway.