images: update dependencies to always use >= (!29493) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge main-dry-run/deps-greater into main Jan 06, 2022

Created by: bobheadxi

Alpine packages only keep the most recent few releases, with older releases being dropped on a regular basis.

We enforce versions, it seems, mostly to ensure the inclusion of particular security patches. Since not upgrading will only break our builds, and when we run into issues we just upgrade anyway, we should just only ever pin minimum versions - even the usage of =~ introduced in https://github.com/sourcegraph/sourcegraph/pull/29090 might be too specific, since that seems to be introducing inter-package dependency awkwardness, such as now:

#6 1.373 ERROR: unable to select packages:
#6 1.393   busybox-1.31.1-r21:
#6 1.393     breaks: world[busybox~1.34.1]
#6 1.393     satisfies: ca-certificates-20191127-r7[/bin/sh]
#6 1.393                alpine-baselayout-3.2.0-r7[/bin/sh]

To make this the new standard, also adds a hadolint.yml to disable DL3018 by default

images: update dependencies to always use >=

Merge request reports