rehansaeed.github.io
rehansaeed.github.io copied to clipboard
RehanSaeed
[Comment] Automating .NET Security Updates
Great tip, Rehan, thanks for sharing! I usually build my .NET core projects in a docker container (e.g. mcr.microsoft.com/dotnet/core/sdk:3.1 image) - would it be fair to assume that these images (build and runtime) get updated when security patches are released?
Great tip, Rehan, thanks for sharing! I usually build my .NET core projects in a docker container (e.g. mcr.microsoft.com/dotnet/core/sdk:3.1 image) - would it be fair to assume that these images (build and runtime) get updated when security patches are released?
I half wrote something about Docker and then deleted it because the story is complex and I haven't thought it through. You could omit the patch version in the SDK Docker image tag and that would give you the latest patched image each time you did a docker pull. However, how do you know when a new base SDK image has been published? How can you start a build when that happens?
I think the best solution to that problem is still Dependabot raising a PR and that being the instigator for a build. One alternative is to use a nightly build but the problem with this is that you'd get a lot of builds that are just the same as the night before.
However, how do you know when a new base SDK image has been published? How can you start a build when that happens?
Dependabot supports Docker and can create PRs when a new SDK image is published.
In my projects, I have deleted global.json and I am using Docker with Dependabot.
BTW, I tried to comment directly on your page, but you are asking me too many permissions:
Ah yes, I forgot about that. Seems like a good alternative.
There is a link where you can comment directly on GitHub if you don't like the permissions. I think I may just remove the ability to do that on my site directly.