Understand and document docker update policy

[sxa]

We had an incident recently where a critical openssl update which was released by Ubuntu on the 6th February did not make it into our container images for almost a month (1st March).

This was discussed in this slack thread and while the current images are now correct with libssl3 package 3.0.2-0ubuntu1.8 we should:

• Understand why there was such a delay in getting a rebuild with this patched openssl into our images (which are based on the official images)
• Create a FAQ entry to describe the update process and the reasons why there might be a delay plus set any expectations around this.

Notes for reference (I'm not an expert on the base image update process so I cannot comment on the implications of these but it is just from some observations:

• https://git.launchpad.net/cloud-images/+oci/ubuntu-base/log/?h=oci-jammy-22.04 suggests there was an update to the base image on the 7th and 17th of February and then another on the first of March. I would have expected all three of those to have included the update
• Having said that, https://git.launchpad.net/cloud-images/+oci/ubuntu-base/log/?h=jammy-22.04 does not indicate there was a manifest update around that time
• Our eclipse-temurin:17-jre was confirmed to have been rebuilt around the 16th February with a vulnerable openssl based on the comments in the thread.
• The images pushed yesterday (March 2nd) have the patched versions of libssl3

[sxa]

See also https://github.com/docker-library/tomcat/issues/290

[sxa]

Entry in the project FAQ: https://github.com/adoptium/adoptium.net/pull/1523/files