-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
include package metadata in chiseled images #148
Comments
looks like this is part of https://github.com/canonical/rocks-toolbox/blob/main/chisel-wrapper as |
Hi @sozercan, you found the chisel-wrapper! We do have some plans to have a DB generated by Chisel directly which will resolve this issue. The PRs are very close to be merged and will hopefully land in a new version soon! Until then, please feel free to use the chisel-wrapper. We are currently using the wrapper for building Let me know if you have any more questions. Cheers! |
@rebornplusplus do you know the latest status on this? will this have the same structure with what's available with chisel-wrapper (single status file)? thanks! |
Hello! The last PR for the Chisel DB/manifest is in the final review stage: #142. The format will not be the same as the dpkg status file. The format is introduced in the internal/manifest/manifest.go file. |
custom ubuntu chiseled images doesn't seem to contain package metadata. This makes it unable to be scanned for vulnerabilities or patched with https://github.com/project-copacetic/copacetic
For example, Google distroless contains package information in
/var/lib/dpkg/status.d/
https://oci.dag.dev/layers/gcr.io/distroless/static-debian12@sha256:e9168165836a0e692fbd161177ea950bfc17e3ec476fff726ff7c038e62e5cc8/var/lib/dpkg/status.d/
and similarly in Azure Linux in
/var/lib/rpmmanifest/
https://oci.dag.dev/layers/mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:421cb3d7179891ba8ab574f6170b9b2e9e19531575446df7b5abffd4c6f2394b/var/lib/rpmmanifest/
The text was updated successfully, but these errors were encountered: