Bugfix/wm 16100 update dotnet 10 on all services CVE 2026 40372#12
Open
nilcat wants to merge 7 commits into
Open
Conversation
The .NET 10 bump on this branch used dotnet/runtime:10.0-alpine3.20, which has two problems: (1) WALL-E is an ASP.NET app needing Microsoft.AspNetCore.App, which dotnet/runtime lacks (the working 9.x image was aspnet-based), and (2) .NET 10 has no alpine3.20 tag. Switch to dotnet/aspnet:10.0-alpine3.22. Drop --with-llvm and the llvm15-dev/clang15 build deps: PostgreSQL JIT is a server-side feature and irrelevant for this client-side pg_repack image, and Alpine 3.22 no longer ships clang15 (and PG 17.0 won't build against LLVM 20). Removing it also shrinks the image. Verified locally: built image carries Microsoft.AspNetCore.App 10.0.3 + Microsoft.NETCore.App 10.0.3 and pg_repack 1.5.3, and WALL-E starts on it. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
WebMed's dotnet-pg-repack image is built and pushed to harbor manually from a local machine (upstream CI only pushes to Docker Hub). Document the build/tag/push steps, why the base must be dotnet/aspnet, the no-LLVM rationale, and the tag convention WALL-E depends on. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Address PR review: use the latest .NET 10 Alpine variant (3.23) for max patches (CVE-driven change); fix the entrypoint chmod RUN where 'set -x \' swallowed the chmod so it never ran (didn't fail the build, but left docker_entrypoint.sh non-executable); and update the postgres-17 CI job's PGREPACK_VERSION 1.5.1 -> 1.5.3 so the cherts/pg-repack tag matches the built contents. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Reverting the alpine3.23 bump: 3.22 and 3.23 both exist on MCR (the review claim that 3.22 is missing is incorrect), but PostgreSQL 17.0 fails to build from source on 3.23's newer toolchain, while 3.22 builds and is verified. The .NET 10 runtime (where CVE-2026-40372 is fixed) is identical on both, so 3.22 fully covers the CVE. Keeping the chmod and CI-version cleanups. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update to .Net 10 to support the new packages