Propral: additional base image `amazonlinux:2023`

[louis-jaris]

Hey guys, first of all, thank you for the work you are doing 🙏 Docker images of python are being shipped millions of times per month (if not per day), and that's awesome 💪

As you most likely know, there is a CVE affecting MiniZip shipped with zlib affecting Debian (buster, bullseye, and bookworm): https://security-tracker.debian.org/tracker/CVE-2023-45853.

I am aware that this vulnerability is effectively impacting minizip (and not really the actual libz binary, which is the one that matters here).

This is CVE is being considered as critical by my company docker image scanner, so we've been trying to find ways to get rid of these secrutiy alerts, and, as a temporrary solution, we decided to switch from python:3.X base image, to a amazonlinux:2023[-minimal] with python3.11 installed there (version maitained by amazon).

Using Amazon Linux 2023 is removing this security alert as amazon backported the fix in its libz (c.f. Amazon document ALAS-2023-410) as the version 1.2.11-33.amzn2023.0.5.

---

Based on the context above, did this community though of adding amazonlinux:2023 as a base image of python images, to benefit from latest security releases?

Or maybe should it be the responsability of amazon to create such image (like they are doing with amazoncoretto)?

Cheers ✌️

This issue is not necessarily asking to support amazonlinux as a base image, but it's to open a discussion on that matter (and based on the issues of this repository, no one already brought it yet)