openproject icon indicating copy to clipboard operation
openproject copied to clipboard
verified publisher icon opf

use debian as base and build ruby ourselves to support daily updates

Open machisuji opened this issue 8 months ago • 3 comments

https://community.openproject.org/projects/devops/work_packages/37520/activity

machisuji avatar Apr 15 '25 14:04 machisuji

Why we need that?
Also, take into account some stuff for jemalloc. Do we need to remove ruby-install-$RUBYINSTALL_VERSION and tarball itself after installation?

top4ek avatar Apr 15 '25 14:04 top4ek

HI @top4ek thanks for your comment. Yes, we should remove ruby-install and the tarball after the installation. Right now, this is just a proof of concept. If we do want to do this, it will need some more polish, yes.

As for why we need it, the idea is to get the included dependencies as recent as possible to reduce the number of CVEs. Whether this actually does reduce the number in a meaningful way, we have yet to test as well.

machisuji avatar Apr 15 '25 14:04 machisuji

On my experience, sonarcube argues about debian 12 itself, not ruby, but still that good idea.

top4ek avatar Apr 15 '25 14:04 top4ek

This doesn't really reduce our current vulnerabilities. Closing for now

oliverguenther avatar Apr 29 '25 11:04 oliverguenther