Skip to content

Chore: reduce attack surface and size for Docker image#13

Merged
gquintard merged 1 commit intomasterfrom
unknown repository
Apr 13, 2023
Merged

Chore: reduce attack surface and size for Docker image#13
gquintard merged 1 commit intomasterfrom
unknown repository

Conversation

@bqcuong
Copy link
Contributor

@bqcuong bqcuong commented Apr 11, 2023

Hi,

This pull request includes a small improvement for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.

In detail:

  • I added --no-install-recommends to remove unnecessary apt packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.

I hope that you find them useful. Please let me know if you have any concerns.

Thank you.

@gquintard
Copy link
Collaborator

gquintard commented Apr 11, 2023

hi, thanks for opening this. What's the size gain with this?

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 11, 2023
edited
Loading

Hi @gquintard,

I updated the differences between the builds before and after the improvement as below:

  • The image size slightly reduces from 85.3MB to 84.9MB, likely because you removed the base packages (with apt-get purge) after using them.
  • The number of newly installed packages reduces from 386 pkgs to 163 pkgs (avoid 223 unnecessary packages)

Without --no-install-recommends in your Dockerfile, I think the installation of many unnecessary packages consumes more network bandwidth and time.
Moreover, in general, avoiding the installation of unnecessary packages is highly recommended for the security of your Docker containers.
As quoted from CIS Docker Benchmark v1.5.0:

4.3 Ensure that unnecessary packages are not installed in the container
Description:
Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.
Rationale:
Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.

I hope you find this additional information helpful.
For your information, below logs are extracted from the build logs before and after the improvement.

// before improvement
+ apt-get install -y apt-utils curl dirmngr dpkg-dev debhelper devscripts equivs fakeroot git gnupg pkg-config
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  autoconf automake autopoint autotools-dev binutils binutils-common
  binutils-x86-64-linux-gnu bsdextrautils build-essential bzip2
  ca-certificates cpp cpp-10 dctrl-tools debian-keyring dh-autoreconf
  dh-strip-nondeterminism diffstat distro-info-data dput dwz file
  fontconfig-config fonts-dejavu-core g++ g++-10 gcc gcc-10 gettext
  gettext-base git-man gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client
  gpg-wks-server gpgconf gpgsm groff-base intltool-debian iso-codes less
  libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl
  libaliased-perl libapt-pkg-perl libarchive-cpio-perl libarchive-zip-perl
  libarchive13 libarray-intspan-perl libasan6 libassuan0 libatomic1
  libauthen-sasl-perl libb-hooks-endofscope-perl libb-hooks-op-check-perl
  libbinutils libbrotli1 libbsd0 libc-dev-bin libc-devtools libc6-dev
  libcapture-tiny-perl libcbor0 libcc1-0 libclass-data-inheritable-perl
  libclass-inspector-perl libclass-method-modifiers-perl
  libclass-xsaccessor-perl libclone-perl libcommon-sense-perl
  libconfig-tiny-perl libconst-fast-perl libcontextual-return-perl
  libconvert-binhex-perl libcpanel-json-xs-perl libcrypt-dev libctf-nobfd0
  libctf0 libcurl3-gnutls libcurl4 libdata-dpath-perl libdata-dump-perl
  libdata-messagepack-perl libdata-optlist-perl libdata-validate-domain-perl
  libdebhelper-perl libdeflate0 libdevel-callchecker-perl libdevel-size-perl
  libdevel-stacktrace-perl libdistro-info-perl libdpkg-perl
  libdynaloader-functions-perl libedit2 libelf1 libemail-address-xs-perl
  libencode-locale-perl liberror-perl libexception-class-perl libexpat1
  libexporter-tiny-perl libfakeroot libfcgi-bin libfcgi-perl libfcgi0ldbl
  libfido2-1 libfile-basedir-perl libfile-chdir-perl libfile-dirlist-perl
  libfile-fcntllock-perl libfile-find-rule-perl libfile-homedir-perl
  libfile-listing-perl libfile-stripnondeterminism-perl libfile-touch-perl
  libfile-which-perl libfont-afm-perl libfont-ttf-perl libfontconfig1
  libfreetype6 libgcc-10-dev libgd3 libgdbm-compat4 libgdbm6
  libgetopt-long-descriptive-perl libgit-wrapper-perl libgitlab-api-v4-perl
  libglib2.0-0 libglib2.0-data libgomp1 libgpgme11 libgpm2
  libhash-fieldhash-perl libhtml-form-perl libhtml-format-perl
  libhtml-html5-entities-perl libhtml-parser-perl libhtml-tagset-perl
  libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl
  libhttp-message-perl libhttp-negotiate-perl libhttp-tiny-multipart-perl
  libicu67 libimport-into-perl libio-html-perl libio-prompter-perl
  libio-pty-perl libio-sessiondata-perl libio-socket-ssl-perl
  libio-string-perl libio-stringy-perl libipc-run-perl libipc-run3-perl
  libipc-system-simple-perl libisl23 libiterator-perl libiterator-util-perl
  libitm1 libjbig0 libjpeg62-turbo libjson-maybexs-perl libjson-perl
  libjson-xs-perl libksba8 libldap-2.4-2 libldap-common liblist-compare-perl
  liblist-moreutils-perl liblist-moreutils-xs-perl liblist-someutils-perl
  liblist-someutils-xs-perl liblist-utilsby-perl liblocale-gettext-perl
  liblog-any-adapter-screen-perl liblog-any-perl liblsan0 libltdl-dev libltdl7
  liblwp-mediatypes-perl liblwp-protocol-https-perl liblzo2-2 libmagic-mgc
  libmagic1 libmail-sendmail-perl libmailtools-perl libmarkdown2 libmd0
  libmime-tools-perl libmodule-implementation-perl libmodule-runtime-perl
  libmoo-perl libmoox-aliases-perl libmoox-struct-perl libmouse-perl libmpc3
  libmpdec3 libmpfr6 libnamespace-autoclean-perl libnamespace-clean-perl
  libncursesw6 libnet-domain-tld-perl libnet-http-perl libnet-smtp-ssl-perl
  libnet-ssleay-perl libnghttp2-14 libnpth0 libnsl-dev libnumber-compare-perl
  libnumber-range-perl libobject-id-perl libossp-uuid-perl libossp-uuid16
  libpackage-stash-perl libpackage-stash-xs-perl libparams-classify-perl
  libparams-util-perl libparams-validate-perl libpath-iterator-rule-perl
  libpath-tiny-perl libperl5.32 libperlio-gzip-perl libpipeline1 libpng16-16
  libpod-constants-perl libpod-parser-perl libproc-processtable-perl libpsl5
  libpython3-stdlib libpython3.9-minimal libpython3.9-stdlib libquadmath0
  libre-engine-re2-perl libre2-9 libreadline8 libreadonly-perl
  libref-util-perl libref-util-xs-perl libregexp-pattern-license-perl
  libregexp-pattern-perl librole-tiny-perl librtmp1 libsasl2-2
  libsasl2-modules libsasl2-modules-db libsereal-decoder-perl
  libsereal-encoder-perl libsigsegv2 libsoap-lite-perl libsort-key-perl
  libsort-versions-perl libsqlite3-0 libssh2-1 libstdc++-10-dev
  libstrictures-perl libstring-copyright-perl libstring-escape-perl
  libstring-shellquote-perl libsub-exporter-perl
  libsub-exporter-progressive-perl libsub-identify-perl libsub-install-perl
  libsub-name-perl libsub-override-perl libsub-quote-perl
  libsys-cpuaffinity-perl libsys-hostname-long-perl libtask-weaken-perl
  libterm-readkey-perl libtext-glob-perl libtext-levenshteinxs-perl
  libtext-markdown-discount-perl libtext-xslate-perl libtiff5
  libtime-duration-perl libtime-moment-perl libtimedate-perl libtirpc-dev
  libtool libtry-tiny-perl libtsan0 libtype-tiny-perl libtype-tiny-xs-perl
  libtypes-serialiser-perl libubsan1 libuchardet0 libunicode-utf8-perl
  libunwind8 liburi-perl libvariable-magic-perl libwant-perl libwebp6
  libwww-perl libwww-robotrules-perl libx11-6 libx11-data libxau6 libxcb1
  libxdelta2 libxdmcp6 libxext6 libxml-libxml-perl
  libxml-namespacesupport-perl libxml-parser-perl libxml-sax-base-perl
  libxml-sax-expat-perl libxml-sax-perl libxml2 libxmlrpc-lite-perl libxmuu1
  libxpm4 libyaml-0-2 libyaml-libyaml-perl licensecheck lintian linux-libc-dev
  lsb-release lzip lzop m4 make man-db manpages manpages-dev media-types
  netbase openssh-client openssl patch patchutils pbzip2 perl
  perl-modules-5.32 perl-openssl-defaults pinentry-curses pixz po-debconf
  pristine-tar publicsuffix python-apt-common python3 python3-apt
  python3-certifi python3-chardet python3-debian python3-gpg python3-idna
  python3-magic python3-minimal python3-pkg-resources python3-requests
  python3-six python3-unidiff python3-urllib3 python3-xdg python3.9
  python3.9-minimal readline-common sensible-utils shared-mime-info strace
  t1utils ucf unzip wdiff xauth xdelta xdelta3 xdg-user-dirs xz-utils
Suggested packages:
  autoconf-archive gnu-standards autoconf-doc binutils-doc bzip2-doc cpp-doc
  gcc-10-locales debtags dh-make adequate at autopkgtest bls-standalone
  bsd-mailx | mailx check-all-the-things cvs-buildpackage devscripts-el
  diffoscope disorderfs dose-extra duck faketime gnuplot how-can-i-help
  libdbd-pg-perl libfile-desktopentry-perl libnet-smtps-perl libterm-size-perl
  libyaml-syck-perl mmdebstrap mozilla-devscripts mutt piuparts
  postgresql-client pristine-lfs quilt ratt reprotest svn-buildpackage w3m
  dbus-user-session libpam-systemd pinentry-gnome3 tor mini-dinstall rsync
  g++-multilib g++-10-multilib gcc-10-doc gcc-multilib flex bison gdb gcc-doc
  gcc-10-multilib gettext-doc libasprintf-dev libgettextpo-dev git-daemon-run
  | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-cvs
  git-mediawiki git-svn parcimonie xloadimage scdaemon groff isoquery lrzip
  libdigest-hmac-perl libgssapi-perl glibc-doc bzr libgd-tools gdbm-l10n gpm
  libtool-doc libcrypt-ssleay-perl uuid libscalar-number-perl
  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
  libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql
  libapache2-mod-perl2 libmime-lite-perl libnet-jabber-perl libstdc++-10-doc
  libbareword-filehandles-perl libindirect-perl libmultidimensional-perl
  gfortran | fortran95-compiler gcj-jdk libdevel-lexalias-perl
  libauthen-ntlm-perl libxml-sax-expatxs-perl bash-completion
  binutils-multiarch libtext-template-perl m4-doc make-doc apparmor
  www-browser keychain libpam-ssh monkeysphere ssh-askpass ed diffutils-doc
  perl-doc libterm-readline-gnu-perl | libterm-readline-perl-perl
  libtap-harness-archive-perl pinentry-doc libmail-box-perl python3-doc
  python3-tk python3-venv python3-apt-dbg python-apt-doc python3-setuptools
  python3-cryptography python3-openssl python3-socks python-requests-doc
  python3.9-venv python3.9-doc binfmt-support readline-doc zip wdiff-doc
The following NEW packages will be installed:
  apt-utils autoconf automake autopoint autotools-dev binutils binutils-common
  binutils-x86-64-linux-gnu bsdextrautils build-essential bzip2
  ca-certificates cpp cpp-10 curl dctrl-tools debhelper debian-keyring
  devscripts dh-autoreconf dh-strip-nondeterminism diffstat dirmngr
  distro-info-data dpkg-dev dput dwz equivs fakeroot file fontconfig-config
  fonts-dejavu-core g++ g++-10 gcc gcc-10 gettext gettext-base git git-man
  gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server
  gpgconf gpgsm groff-base intltool-debian iso-codes less
  libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl
  libaliased-perl libapt-pkg-perl libarchive-cpio-perl libarchive-zip-perl
  libarchive13 libarray-intspan-perl libasan6 libassuan0 libatomic1
  libauthen-sasl-perl libb-hooks-endofscope-perl libb-hooks-op-check-perl
  libbinutils libbrotli1 libbsd0 libc-dev-bin libc-devtools libc6-dev
  libcapture-tiny-perl libcbor0 libcc1-0 libclass-data-inheritable-perl
  libclass-inspector-perl libclass-method-modifiers-perl
  libclass-xsaccessor-perl libclone-perl libcommon-sense-perl
  libconfig-tiny-perl libconst-fast-perl libcontextual-return-perl
  libconvert-binhex-perl libcpanel-json-xs-perl libcrypt-dev libctf-nobfd0
  libctf0 libcurl3-gnutls libcurl4 libdata-dpath-perl libdata-dump-perl
  libdata-messagepack-perl libdata-optlist-perl libdata-validate-domain-perl
  libdebhelper-perl libdeflate0 libdevel-callchecker-perl libdevel-size-perl
  libdevel-stacktrace-perl libdistro-info-perl libdpkg-perl
  libdynaloader-functions-perl libedit2 libelf1 libemail-address-xs-perl
  libencode-locale-perl liberror-perl libexception-class-perl libexpat1
  libexporter-tiny-perl libfakeroot libfcgi-bin libfcgi-perl libfcgi0ldbl
  libfido2-1 libfile-basedir-perl libfile-chdir-perl libfile-dirlist-perl
  libfile-fcntllock-perl libfile-find-rule-perl libfile-homedir-perl
  libfile-listing-perl libfile-stripnondeterminism-perl libfile-touch-perl
  libfile-which-perl libfont-afm-perl libfont-ttf-perl libfontconfig1
  libfreetype6 libgcc-10-dev libgd3 libgdbm-compat4 libgdbm6
  libgetopt-long-descriptive-perl libgit-wrapper-perl libgitlab-api-v4-perl
  libglib2.0-0 libglib2.0-data libgomp1 libgpgme11 libgpm2
  libhash-fieldhash-perl libhtml-form-perl libhtml-format-perl
  libhtml-html5-entities-perl libhtml-parser-perl libhtml-tagset-perl
  libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl
  libhttp-message-perl libhttp-negotiate-perl libhttp-tiny-multipart-perl
  libicu67 libimport-into-perl libio-html-perl libio-prompter-perl
  libio-pty-perl libio-sessiondata-perl libio-socket-ssl-perl
  libio-string-perl libio-stringy-perl libipc-run-perl libipc-run3-perl
  libipc-system-simple-perl libisl23 libiterator-perl libiterator-util-perl
  libitm1 libjbig0 libjpeg62-turbo libjson-maybexs-perl libjson-perl
  libjson-xs-perl libksba8 libldap-2.4-2 libldap-common liblist-compare-perl
  liblist-moreutils-perl liblist-moreutils-xs-perl liblist-someutils-perl
  liblist-someutils-xs-perl liblist-utilsby-perl liblocale-gettext-perl
  liblog-any-adapter-screen-perl liblog-any-perl liblsan0 libltdl-dev libltdl7
  liblwp-mediatypes-perl liblwp-protocol-https-perl liblzo2-2 libmagic-mgc
  libmagic1 libmail-sendmail-perl libmailtools-perl libmarkdown2 libmd0
  libmime-tools-perl libmodule-implementation-perl libmodule-runtime-perl
  libmoo-perl libmoox-aliases-perl libmoox-struct-perl libmouse-perl libmpc3
  libmpdec3 libmpfr6 libnamespace-autoclean-perl libnamespace-clean-perl
  libncursesw6 libnet-domain-tld-perl libnet-http-perl libnet-smtp-ssl-perl
  libnet-ssleay-perl libnghttp2-14 libnpth0 libnsl-dev libnumber-compare-perl
  libnumber-range-perl libobject-id-perl libossp-uuid-perl libossp-uuid16
  libpackage-stash-perl libpackage-stash-xs-perl libparams-classify-perl
  libparams-util-perl libparams-validate-perl libpath-iterator-rule-perl
  libpath-tiny-perl libperl5.32 libperlio-gzip-perl libpipeline1 libpng16-16
  libpod-constants-perl libpod-parser-perl libproc-processtable-perl libpsl5
  libpython3-stdlib libpython3.9-minimal libpython3.9-stdlib libquadmath0
  libre-engine-re2-perl libre2-9 libreadline8 libreadonly-perl
  libref-util-perl libref-util-xs-perl libregexp-pattern-license-perl
  libregexp-pattern-perl librole-tiny-perl librtmp1 libsasl2-2
  libsasl2-modules libsasl2-modules-db libsereal-decoder-perl
  libsereal-encoder-perl libsigsegv2 libsoap-lite-perl libsort-key-perl
  libsort-versions-perl libsqlite3-0 libssh2-1 libstdc++-10-dev
  libstrictures-perl libstring-copyright-perl libstring-escape-perl
  libstring-shellquote-perl libsub-exporter-perl
  libsub-exporter-progressive-perl libsub-identify-perl libsub-install-perl
  libsub-name-perl libsub-override-perl libsub-quote-perl
  libsys-cpuaffinity-perl libsys-hostname-long-perl libtask-weaken-perl
  libterm-readkey-perl libtext-glob-perl libtext-levenshteinxs-perl
  libtext-markdown-discount-perl libtext-xslate-perl libtiff5
  libtime-duration-perl libtime-moment-perl libtimedate-perl libtirpc-dev
  libtool libtry-tiny-perl libtsan0 libtype-tiny-perl libtype-tiny-xs-perl
  libtypes-serialiser-perl libubsan1 libuchardet0 libunicode-utf8-perl
  libunwind8 liburi-perl libvariable-magic-perl libwant-perl libwebp6
  libwww-perl libwww-robotrules-perl libx11-6 libx11-data libxau6 libxcb1
  libxdelta2 libxdmcp6 libxext6 libxml-libxml-perl
  libxml-namespacesupport-perl libxml-parser-perl libxml-sax-base-perl
  libxml-sax-expat-perl libxml-sax-perl libxml2 libxmlrpc-lite-perl libxmuu1
  libxpm4 libyaml-0-2 libyaml-libyaml-perl licensecheck lintian linux-libc-dev
  lsb-release lzip lzop m4 make man-db manpages manpages-dev media-types
  netbase openssh-client openssl patch patchutils pbzip2 perl
  perl-modules-5.32 perl-openssl-defaults pinentry-curses pixz pkg-config
  po-debconf pristine-tar publicsuffix python-apt-common python3 python3-apt
  python3-certifi python3-chardet python3-debian python3-gpg python3-idna
  python3-magic python3-minimal python3-pkg-resources python3-requests
  python3-six python3-unidiff python3-urllib3 python3-xdg python3.9
  python3.9-minimal readline-common sensible-utils shared-mime-info strace
  t1utils ucf unzip wdiff xauth xdelta xdelta3 xdg-user-dirs xz-utils
0 upgraded, 386 newly installed, 0 to remove and 1 not upgraded.

// after improvement
+ apt-get install -y --no-install-recommends apt-utils curl dirmngr dpkg-dev debhelper devscripts equivs fakeroot git gnupg pkg-config
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  autoconf automake autopoint autotools-dev binutils binutils-common
  binutils-x86-64-linux-gnu bsdextrautils bzip2 ca-certificates cpp cpp-10
  dh-autoreconf dh-strip-nondeterminism dwz file gcc gcc-10 gettext
  gettext-base git-man gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client
  gpg-wks-server gpgconf gpgsm groff-base intltool-debian libarchive-zip-perl
  libasan6 libassuan0 libatomic1 libb-hooks-op-check-perl libbinutils
  libbrotli1 libc-dev-bin libc6-dev libcc1-0 libclass-method-modifiers-perl
  libcrypt-dev libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4
  libdebhelper-perl libdevel-callchecker-perl libdpkg-perl
  libdynaloader-functions-perl libelf1 libencode-locale-perl liberror-perl
  libexpat1 libfakeroot libfile-dirlist-perl libfile-homedir-perl
  libfile-listing-perl libfile-stripnondeterminism-perl libfile-touch-perl
  libfile-which-perl libgcc-10-dev libgdbm-compat4 libgdbm6 libglib2.0-0
  libgomp1 libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-date-perl libhttp-message-perl
  libhttp-negotiate-perl libicu67 libimport-into-perl libio-html-perl
  libio-pty-perl libio-socket-ssl-perl libipc-run-perl libisl23 libitm1
  libksba8 libldap-2.4-2 liblsan0 liblwp-mediatypes-perl
  liblwp-protocol-https-perl libmagic-mgc libmagic1 libmodule-runtime-perl
  libmoo-perl libmpc3 libmpdec3 libmpfr6 libncursesw6 libnet-http-perl
  libnet-ssleay-perl libnghttp2-14 libnpth0 libnsl-dev libparams-classify-perl
  libperl5.32 libpipeline1 libpsl5 libpython3-stdlib libpython3.9-minimal
  libpython3.9-stdlib libquadmath0 libreadline8 librole-tiny-perl librtmp1
  libsasl2-2 libsasl2-modules-db libsigsegv2 libsqlite3-0 libssh2-1
  libstrictures-perl libsub-override-perl libsub-quote-perl libtimedate-perl
  libtirpc-dev libtool libtry-tiny-perl libtsan0 libubsan1 libuchardet0
  liburi-perl libwww-perl libwww-robotrules-perl libxml2 linux-libc-dev m4
  make man-db media-types netbase openssl patch patchutils perl
  perl-modules-5.32 perl-openssl-defaults pinentry-curses po-debconf python3
  python3-minimal python3.9 python3.9-minimal readline-common sensible-utils
  wdiff xz-utils
Suggested packages:
  autoconf-archive gnu-standards autoconf-doc binutils-doc bzip2-doc cpp-doc
  gcc-10-locales dh-make adequate at autopkgtest bls-standalone bsd-mailx
  | mailx build-essential check-all-the-things cvs-buildpackage devscripts-el
  diffoscope disorderfs dose-extra duck faketime gnuplot how-can-i-help
  libauthen-sasl-perl libdbd-pg-perl libfile-desktopentry-perl
  libnet-smtps-perl libterm-size-perl libyaml-syck-perl mmdebstrap
  mozilla-devscripts mutt piuparts postgresql-client pristine-lfs quilt ratt
  reprotest ssh-client svn-buildpackage w3m dbus-user-session libpam-systemd
  pinentry-gnome3 tor debian-keyring gcc-multilib manpages-dev flex bison gdb
  gcc-doc gcc-10-multilib gcc-10-doc gettext-doc libasprintf-dev
  libgettextpo-dev git-daemon-run | git-daemon-sysvinit git-doc git-el
  git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn parcimonie
  xloadimage scdaemon groff glibc-doc bzr gdbm-l10n libdata-dump-perl
  libcrypt-ssleay-perl libscalar-number-perl libbareword-filehandles-perl
  libindirect-perl libmultidimensional-perl libtool-doc gfortran
  | fortran95-compiler gcj-jdk libauthen-ntlm-perl m4-doc make-doc apparmor
  less www-browser ed diffutils-doc perl-doc libterm-readline-gnu-perl
  | libterm-readline-perl-perl libtap-harness-archive-perl pinentry-doc
  libmail-box-perl python3-doc python3-tk python3-venv python3.9-venv
  python3.9-doc binfmt-support readline-doc wdiff-doc
Recommended packages:
  dctrl-tools dput | dupload libdistro-info-perl libgit-wrapper-perl
  libgitlab-api-v4-perl liblist-compare-perl libstring-shellquote-perl
  licensecheck lintian pristine-tar python3-apt python3-debian python3-magic
  python3-requests python3-unidiff python3-xdg strace unzip debian-keyring
  libsoap-lite-perl build-essential libalgorithm-merge-perl less ssh-client
  manpages manpages-dev libc-devtools libfile-fcntllock-perl
  liblocale-gettext-perl libarchive-cpio-perl libglib2.0-data shared-mime-info
  xdg-user-dirs libhtml-format-perl libclone-perl libldap-common
  libclass-xsaccessor-perl libnamespace-clean-perl libsub-name-perl libgpm2
  publicsuffix libsasl2-modules libltdl-dev libdata-dump-perl
  libhtml-form-perl libhttp-daemon-perl libmailtools-perl
  libmail-sendmail-perl
The following NEW packages will be installed:
  apt-utils autoconf automake autopoint autotools-dev binutils binutils-common
  binutils-x86-64-linux-gnu bsdextrautils bzip2 ca-certificates cpp cpp-10
  curl debhelper devscripts dh-autoreconf dh-strip-nondeterminism dirmngr
  dpkg-dev dwz equivs fakeroot file gcc gcc-10 gettext gettext-base git
  git-man gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client
  gpg-wks-server gpgconf gpgsm groff-base intltool-debian libarchive-zip-perl
  libasan6 libassuan0 libatomic1 libb-hooks-op-check-perl libbinutils
  libbrotli1 libc-dev-bin libc6-dev libcc1-0 libclass-method-modifiers-perl
  libcrypt-dev libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4
  libdebhelper-perl libdevel-callchecker-perl libdpkg-perl
  libdynaloader-functions-perl libelf1 libencode-locale-perl liberror-perl
  libexpat1 libfakeroot libfile-dirlist-perl libfile-homedir-perl
  libfile-listing-perl libfile-stripnondeterminism-perl libfile-touch-perl
  libfile-which-perl libgcc-10-dev libgdbm-compat4 libgdbm6 libglib2.0-0
  libgomp1 libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-date-perl libhttp-message-perl
  libhttp-negotiate-perl libicu67 libimport-into-perl libio-html-perl
  libio-pty-perl libio-socket-ssl-perl libipc-run-perl libisl23 libitm1
  libksba8 libldap-2.4-2 liblsan0 liblwp-mediatypes-perl
  liblwp-protocol-https-perl libmagic-mgc libmagic1 libmodule-runtime-perl
  libmoo-perl libmpc3 libmpdec3 libmpfr6 libncursesw6 libnet-http-perl
  libnet-ssleay-perl libnghttp2-14 libnpth0 libnsl-dev libparams-classify-perl
  libperl5.32 libpipeline1 libpsl5 libpython3-stdlib libpython3.9-minimal
  libpython3.9-stdlib libquadmath0 libreadline8 librole-tiny-perl librtmp1
  libsasl2-2 libsasl2-modules-db libsigsegv2 libsqlite3-0 libssh2-1
  libstrictures-perl libsub-override-perl libsub-quote-perl libtimedate-perl
  libtirpc-dev libtool libtry-tiny-perl libtsan0 libubsan1 libuchardet0
  liburi-perl libwww-perl libwww-robotrules-perl libxml2 linux-libc-dev m4
  make man-db media-types netbase openssl patch patchutils perl
  perl-modules-5.32 perl-openssl-defaults pinentry-curses pkg-config
  po-debconf python3 python3-minimal python3.9 python3.9-minimal
  readline-common sensible-utils wdiff xz-utils
0 upgraded, 163 newly installed, 0 to remove and 1 not upgraded.

@gquintard gquintard merged commit 57484c4 into varnish:master Apr 13, 2023
@gquintard
Copy link
Collaborator

gquintard commented Apr 13, 2023

after looking at the output of dpkg -l on both images, the patch basically just gets rid of the manpages package, which means that all the extra stuff that was being installed was also being removed.

All in all the size gain is negligible, the security benefit is about zero, but on my laptop, the image build a lot faster (3:15 down from 5:45), I'll take that win.

Merged, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bqcuong @gquintard