Mid-last week, Debian moved Wheezy (7) and Jessie (8) backport repositories into archive.debian.org, and out of its main mirror network, which prevented the installation of several packages included in -browsers-tagged variants of our convenience images, as they previously relied on the main Debian mirror.
We considered three solutions, which are also outlined here:
- Stop supporting Debian Jessie variants of our images
- Switch from the main Debian mirror to the
jessie-backportsarchive - Stop using Open JDK 8 (the root of the specific package failures) in our
-browsers-tagged variants
To minimize changes to our infrastructure that could impact customers, and to resolve the issue as quickly as possible, we opted for solution #2 (see pull request). We have subsequently patched the issue in the vast majority of our images.
As a reminder, we do not actively build/maintain all available image tags. The tags we actively support are determined by the tags pushed to upstream Docker Library images, as outlined below:
- https://github.com/circleci/circleci-images#official-images
- https://circleci.com/blog/build-image-update-schedule
Thus, to ensure your image has the latest patch, make sure the tag you are using is a new one. You can easily make this determination in either of two ways:
- check the tags list at
https://hub.docker.com/r/circleci/YOUR_IMAGE/tags, which lists tags by last-pushed date - check our
circleci-dockerfilesrepository, which publishes complete Dockerfiles for all tags published as part of each new commit to our images repository
You can also use our images’ semantic versioning system, which draws from the semantic versioning of upstream Docker Library images, to make sure you receive these kinds of updates automatically. For example, while the circleci/node:9.10.0 image tag may not be built in the future, referencing circleci/node:9.10 in your config.yml file will ensure that you always receive the latest circleci/node:9.10.z image tag.
Finally, it’s important to note that our solution—to use the packages in the Debian Archive—is temporary: the Archive infrastructure does not receive security updates, so we will be patching this issue in a more permanent way, with better long-term security implications, in the near future.
Thank you!