Browse code
Add FAQ entry about bundled vs packaged libraries
Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
Jérôme Petazzoni authored on 2014/07/01 23:47:59Showing 1 changed files
| ... | ... |
@@ -187,6 +187,44 @@ Please read [our blog post]( |
| 187 | 187 |
http://blog.docker.io/2014/01/docker-code-contributions-require-developer-certificate-of-origin/) |
| 188 | 188 |
on the introduction of the DCO. |
| 189 | 189 |
|
| 190 |
+### When building an image, should I prefer system libraries or bundled ones? |
|
| 191 |
+ |
|
| 192 |
+*This is a summary of a discussion on the [docker-dev mailing list]( |
|
| 193 |
+https://groups.google.com/forum/#!topic/docker-dev/L2RBSPDu1L0).* |
|
| 194 |
+ |
|
| 195 |
+Virtually all programs depend on third-party libraries. Most frequently, |
|
| 196 |
+they will use dynamic linking and some kind of package dependency, so |
|
| 197 |
+that when multiple programs need the same library, it is installed only once. |
|
| 198 |
+ |
|
| 199 |
+Some programs, however, will bundle their third-party libraries, because |
|
| 200 |
+they rely on very specific versions of those libraries. For instance, |
|
| 201 |
+Node.js bundles OpenSSL; MongoDB bundles V8 and Boost (among others). |
|
| 202 |
+ |
|
| 203 |
+When creating a Docker image, is it better to use the bundled libraries, |
|
| 204 |
+or should you build those programs so that they use the default system |
|
| 205 |
+libraries instead? |
|
| 206 |
+ |
|
| 207 |
+The key point about system libraries is not about saving disk or memory |
|
| 208 |
+space. It is about security. All major distributions handle security |
|
| 209 |
+seriously, by having dedicated security teams, following up closely |
|
| 210 |
+with published vulnerabilities, and disclosing advisories themselves. |
|
| 211 |
+(Look at the [Debian Security Information](https://www.debian.org/security/) |
|
| 212 |
+for an example of those procedures.) Upstream developers, however, |
|
| 213 |
+do not always implement similar practices. |
|
| 214 |
+ |
|
| 215 |
+Before setting up a Docker image to compile a program from source, |
|
| 216 |
+if you want to use bundled libraries, you should check if the upstream |
|
| 217 |
+authors provide a convenient way to announce security vulnerabilities, |
|
| 218 |
+and if they update their bundled libraries in a timely manner. If they |
|
| 219 |
+don't, you are exposing yourself (and the users of your image) to |
|
| 220 |
+security vulnerabilities. |
|
| 221 |
+ |
|
| 222 |
+Likewise, before using packages built by others, you should check if the |
|
| 223 |
+channels providing those packages implement similar security best practices. |
|
| 224 |
+Downloading and installing an "all-in-one" .deb or .rpm sounds great at first, |
|
| 225 |
+except if you have no way to figure out that it contains a copy of the |
|
| 226 |
+OpenSSL library vulnerable to the [Heartbleed](http://heartbleed.com/) bug. |
|
| 227 |
+ |
|
| 190 | 228 |
### Can I help by adding some questions and answers? |
| 191 | 229 |
|
| 192 | 230 |
Definitely! You can fork [the repo](https://github.com/dotcloud/docker) and |