There are repeated reports that there are unfixed CVEs in minideb, but this
is due to Debian not releasing a DSA for that CVE. This tries to explain
that in the README for people to find or be pointed to.
Co-authored-by: Carlos Rodríguez Hernández <carrodher1179@gmail.com>
Signed-off-by: James Westby <james@jameswestby.net>
* Include Debian 11 in CI automations
* Disabled bullseye arm for now until we figure out a fix for the qemu crash
* Use qemu-static package from Ubuntu 20.10 when building for bullseye to workaround the segfault issue
The `update-rc.d` command in the `init-system-helpers` package is
required by the `linux-util` postinst script, but `init-system-helpers`
doesn't seem to be installed by default in 11/bullseye.
The suite name for the updates repository has also changed in
11/bullseye.
/usr/share/doc contains a structure that might be like
```
foo/copyright
foo/other
bar -> foo
```
In this case we want to delete `foo/other`, but leave `bar` alone.
The previous code would delete `bar` as it is not a directory.
However, the structure of `/usr/share/doc` is such that the first
level is a per-package directory (or symlink) and the directory
contains the files. We therefore want to only consider files in the
package directories, so look a level further down the tree before
deleting.
Previously we were tagging for all registries as we built
the images and then pushing all registries blindly.
Now if an image hasn't changed it wouldn't tag with the other
registry tags, and then the push would fail as the gcr/quay
tags didn't exist.
Rather than taking care to tag in the case where the image
hasn't changed, instead change the pushall script to
only assume that `bitnami/minideb` tags are correct, and
tag the other registries based on that one before pushing.
This ensures that the tags will always exist, and also makes
sure we are pushing the same image to each registry (excluding
race conditions.)
James Westby