Richard Bucker

Alpine Linux does not use glibc but uclibc

Posted at — Apr 1, 2016

Alpine Linux does not use glibc but uclibc. I have no idea if it’s any better than glibc but in the wake of the glibc vulnerability I’m thinking:is it better to use obscure code like apline linux and uclibc because the uber hackers are not likely to pay attention or is it better to use ubuntu-core, stave off the attacks as best as possible and rely on ubuntu to patch themselves asap? (substitute any tier 1 linux or operating system in place of ubuntu).I don’t have the answer to the question but it does bother me. On the otherhand most of the vulnerabilities that have been exposed lately have required local access and in the web service business there is not much of that going on. But it does mean that you must have trusted tools. Now that I’m using containers and such there are several ways to mitigate the issues.Continuous integration and zero downtime deploy will go a long way to getting a new base image into the pipeline. Containers might be vulnerable but if you limit the exposure then things like this have limited attack planes.I am curious why the official golang version on the docker registry uses alpine?