this post was submitted on 20 Dec 2025
61 points (100.0% liked)

Selfhosted

60451 readers
914 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I'm talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.

So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base...

you are viewing a single comment's thread
view the rest of the comments
[–] lemmyng@piefed.ca 10 points 6 months ago

Rebuild: no. If the software itself is unmaintained, it gets replaced.

Patch: yes. If the base image contains vulnerabilities that can be fixed with a package update, then that gets applied. The patch size and side effects can be minimized by using copacetic, which can ingest Trivy scan results to identify vulnerabilities.

There's also repos like Chainguard and Docker hardened images which are handy for getting up to date images of commonly used tools.