1

I would like to get information that important package updates occured (e.g. connected with security updates) - so that I know, that I need to rebuild my Alpine-based images with apps.

It could be sth similar to Debian's https://www.debian.org/security/ with the list DSA https://lists.debian.org/debian-security-announce/ .

There are some mailing lists for Alpine https://lists.alpinelinux.org/lists/%7Ealpine , but they seem not sufficient for my use case (e.g. https://lists.alpinelinux.org/~alpine/announce has only info about OS releases).

Is there anything like that? Or: Is there any other procedure to keep Alpine-based systems secure?

keypress
  • 241
  • 2
  • 6

2 Answers2

1

Didn't found nothing fancy like Debian's security page, but you might have a look into this: https://git.alpinelinux.org/aports/log/?h=v3.10.3

The security fixes appear on the log message, might be possible to track it by that.

David Magalhães
  • 141
  • 6
1

This matter was discussed these days at alpine/users group here So for now the best and acceptable for me option is to use the RSS feed. The RSS feed is with info about closed Security issues.

RSS: https://gitlab.alpinelinux.org/alpine/aports/issues.atom?state=closed&label_name%5B%5D=T-Security

List of issues in GitLab: https://gitlab.alpinelinux.org/alpine/aports/issues?state=closed&label_name%5B%5D=T-Security

So you can get notified about new SecFixes and decide if you need to rebuild your images. You can use rss2email to be notified via e-mail.

keypress
  • 241
  • 2
  • 6
  • I think the label name changed, this works for me: https://gitlab.alpinelinux.org/alpine/aports/-/issues.atom?state=closed&label_name[]=tag%3Asecurity – tlo Jul 02 '20 at 13:37