The security issue (50 containers -> 50 versions of
openssl to patch)
also still stands — the earlier question on this list (when to expect
patched containers for a CVE affecting a library)
I assume they use the default el7/el8 as a base layer, so when that is updated, you will
get the updates. However redeploying tasks is not the same as just giving them a
restart.
is still unreplied to[1], so these are real-life
concerns. In general, I
don't know any project which ever managed to keep up with the workload
caused by the requirement to follow
all CVEs of all dependencies, informing about them and patching them,
since this is a workload comparable to the one the security teams of
Linux distributions have to handle.
Indeed this is the core business of a distro that you choose. No software solution should
ever make it theirs. Eg. this DCOS is just a binary blob of a centos release, from which
you have no idea if it is up to date or not, I do not get why people install it.
Cheers (and congratulations to all who made it to the end of this mail),
I think your text clearly summarizes the point of view of many here.