Release policy - stables release updates

[fira959]

When using the current stable release on tag "latest", DMS comes with an image that is missing several month of updates, including a a lot of security patches. I am a bit confused as to how DMS is intended to be used when the only alternative is the "edge" version that is explicitly not a stable release.

The "latest" version has the following outstanding package updates as of today:

Install: libsub-exporter-perl:amd64 (0.989-1, automatic), libparams-validate-perl:amd64 (1.31-1, automatic), libtry-tiny-perl:amd64 (0.31-2, automatic), libdevel-callchecker-perl:amd64 (0.008-2, automatic), libdynaloader-functions-perl:amd64 (0.003-3, automatic), libsub-install-perl:amd64 (0.929-1, automatic), libgetopt-long-descriptive-perl:amd64 (0.111-1, automatic), libmodule-implementation-perl:amd64 (0.09-2, automatic), libparams-classify-perl:amd64 (0.015-2+b1, automatic), libdata-optlist-perl:amd64 (0.113-1, automatic), libmodule-runtime-perl:amd64 (0.016-2, automatic), libparams-util-perl:amd64 (1.102-2+b1, automatic), libb-hooks-op-check-perl:amd64 (0.22-2+b1, automatic)
> Upgrade: clamav-daemon:amd64 (1.0.3+dfsg-1~deb12u1, 1.0.5+dfsg-1~deb12u1), rspamd:amd64 (3.8.4-1~93fa4f6dc~bookworm, 3.10.0-1~eab554ec1~bookworm), libcurl4:amd64 (7.88.1-10+deb12u5, 7.88.1-10+deb12u7), dovecot-ldap:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), python3.11:amd64 (3.11.2-6, 3.11.2-6+deb12u3), postfix-pcre:amd64 (3.7.10-0+deb12u1, 3.7.11-0+deb12u1), bind9-host:amd64 (1:9.18.24-1, 1:9.18.28-1~deb12u2), libgssapi-krb5-2:amd64 (1.20.1-2+deb12u1, 1.20.1-2+deb12u2), clamav:amd64 (1.0.3+dfsg-1~deb12u1, 1.0.5+dfsg-1~deb12u1), dovecot-auth-lua:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), libarchive13:amd64 (3.6.2-1, 3.6.2-1+deb12u1), dovecot-imapd:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), libclamav11:amd64 (1.0.3+dfsg-1~deb12u1, 1.0.5+dfsg-1~deb12u1), libexpat1:amd64 (2.5.0-1, 2.5.0-1+deb12u1), clamav-base:amd64 (1.0.3+dfsg-1~deb12u1, 1.0.5+dfsg-1~deb12u1), liblua5.4-0:amd64 (5.4.4-3, 5.4.4-3+deb12u1), libsystemd0:amd64 (252.22-1~deb12u1, 252.30-1~deb12u2), postfix-ldap:amd64 (3.7.10-0+deb12u1, 3.7.11-0+deb12u1), libpython3.11-minimal:amd64 (3.11.2-6, 3.11.2-6+deb12u3), libkrb5support0:amd64 (1.20.1-2+deb12u1, 1.20.1-2+deb12u2), libglib2.0-data:amd64 (2.74.6-2+deb12u2, 2.74.6-2+deb12u3), dovecot-lmtpd:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), clamav-freshclam:amd64 (1.0.3+dfsg-1~deb12u1, 1.0.5+dfsg-1~deb12u1), libudev1:amd64 (252.22-1~deb12u1, 252.30-1~deb12u2), dovecot-core:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), libc6:amd64 (2.36-9+deb12u7, 2.36-9+deb12u8), locales:amd64 (2.36-9+deb12u7, 2.36-9+deb12u8), libssl3:amd64 (3.0.11-1~deb12u2, 3.0.14-1~deb12u2), libkrb5-3:amd64 (1.20.1-2+deb12u1, 1.20.1-2+deb12u2), bash:amd64 (5.2.15-2+b2, 5.2.15-2+b7), bind9-dnsutils:amd64 (1:9.18.24-1, 1:9.18.28-1~deb12u2), base-files:amd64 (12.4+deb12u5, 12.4+deb12u7), libk5crypto3:amd64 (1.20.1-2+deb12u1, 1.20.1-2+deb12u2), libpython3.11-stdlib:amd64 (3.11.2-6, 3.11.2-6+deb12u3), libmilter1.0.1:amd64 (8.17.1.9-2, 8.17.1.9-2+deb12u2), amavisd-new:amd64 (1:2.13.0-3, 1:2.13.0-3+deb12u1), libseccomp2:amd64 (2.5.4-1+b3, 2.5.4-1+deb12u1), systemd-standalone-sysusers:amd64 (252.22-1~deb12u1, 252.30-1~deb12u2), libglib2.0-0:amd64 (2.74.6-2+deb12u2, 2.74.6-2+deb12u3), nano:amd64 (7.2-1, 7.2-1+deb12u1), libc-l10n:amd64 (2.36-9+deb12u7, 2.36-9+deb12u8), bind9-libs:amd64 (1:9.18.24-1, 1:9.18.28-1~deb12u2), python3.11-minimal:amd64 (3.11.2-6, 3.11.2-6+deb12u3), libmail-dkim-perl:amd64 (1.20230212-1, 1.20230212-2~deb12u1), libc-bin:amd64 (2.36-9+deb12u7, 2.36-9+deb12u8), dovecot-managesieved:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), dovecot-sieve:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), python3-idna:amd64 (3.3-1, 3.3-1+deb12u1), libgnutls30:amd64 (3.7.9-2+deb12u2, 3.7.9-2+deb12u3), curl:amd64 (7.88.1-10+deb12u5, 7.88.1-10+deb12u7), dovecot-pop3d:amd64 (1:2.3.19.1+dfsg1-2.1, 1:2.3.19.1+dfsg1-2.1+deb12u1), dns-root-data:amd64 (2023010101, 2024041801~deb12u1), postfix:amd64 (3.7.10-0+deb12u1, 3.7.11-0+deb12u1), openssl:amd64 (3.0.11-1~deb12u2, 3.0.14-1~deb12u2)

[polarathene]

I am a bit confused as to how DMS is intended to be used when the only alternative is the "edge" version that is explicitly not a stable release.

An image is built upon a tagged release and published. There are no updates to the image tag from that point on.

You could add a user-patches.sh script to your image that runs apt update and this would be similar to pulling the same image tag as if it was republished with updated dependencies?

Alternatively you can also git clone the repo for the release tag and perform your own local build. Force a rebuild each time you'd like to get the latest updates.

A simple approach between those two is:

services:
  dms:
    hostname: mail.example.com
    # The `image` setting now represents the tag for the local build configured below:
    image: local/dms:14.0
    # Local build (no need to try pull `image` remotely):
    pull_policy: build
    # Custom build of DMS, extending it to include the `postfix-pgsql` package:
    build:
      dockerfile_inline: |
        FROM docker.io/mailserver/docker-mailserver:14.0
        RUN apt-get update

That will build your own extended image of a DMS release and add a layer of updates on top of it. Force the build each time you would normally bump the image tag to update. This is the best way for you to ensure you get such updates/fixes that are external from DMS project itself.

---

Generally we do not receive issues reporting fixes or updates resolving anything that's affecting anyone, unless it's a recently announced security vulnerability in which case maintainers react accordingly and push out a new release as was done with Postfix in the past as soon as a fix was available.

---

If you would like to contribute scheduled updates for the official DMS image, it would need to ensure that it doesn't introduce regressions elsewhere in the CI. There is only a few volunteer maintainers for the project, the development flow unfortunately is fairly simple (PRs are merged into master, and master has a commit tagged for a release). There are no long-term release branches so backporting isn't that viable.

For this scenario it's probably ok to checkout the release tag and build the image again. It would need to ignore the build cache (and likewise probably not upload one afterwards), but if an update did introduce a regression that caused problems, you'd need to account for how to revert that to a previous image digest published for that tag.