It looks like starting with Jib 3.0; you no longer have default distroless images for your Java applications. Instead, you will get an adoptOpenjdk base image if you don't specify one. You still can configure and use distroless base images as per this link. I am just wondering if the adoptOpenJDK image is more secure, slimmer than distroless?. What's the benefit?
The Jib team was maintaining the Java specific images for distroless. Debian, from which distroless obtains its packages, dropped support for Java8 starting with Debian10. Java8 builds used Debian9 dependencies (outdated), which led to many many CVEs in the container image. This is a problem for users who require Java8 (lots of jib users), and at the moment the Jib team does not have the bandwidth to put together a high quality Java8 product for distroless.
Switching the default to adoptopenjdk, gives users consistently maintained images by adoptOpenJDK folks.
This is no means a knock on Distroless, it is still a great project, however a lack of resources and a complicated Java situation has led us here. Distroless is an opensource project, and anyone willing to create or update the workflow for Java8 can contribute directly. As far as I know, the distroless Java11 images is still available based on Debian10 packages, and you can use that as a base image if you like.
© 2022 - 2024 — McMap. All rights reserved.