You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Registry Stack release and product Dockerfiles currently pin Debian 12 Bookworm or Distroless Debian 12 images. Debian transferred Bookworm from regular security support to LTS in July 2026 and recommends Debian 13 where possible. Grype 0.114.0 consequently warns that Debian 12 vulnerability data may be incomplete or outdated.
The beta-12 source-candidate scan also found one fixable Medium finding in the pinned Bookworm base (liblzma5 5.4.1-1, fixed by 5.4.1-1+deb12u1). Current Bookworm images contain the fix, but the pinned release base predates it. The reported High/Critical Bookworm findings had no fixed Bookworm package in the scan and require normal reachability/issuer triage rather than a zero-CVE claim.
This does not block publishing a candidly evidenced beta, but the 1.0 runtime and scanner support boundary should be unambiguous.
Move release Relay and Notary runtime images to supported Debian 13/Trixie and Distroless Debian 13 bases, pinned by immutable multi-architecture digest, or document and approve a concrete Debian 12 LTS exception.
Align maintained product Dockerfiles and the release Dockerfiles so local/preflight images do not silently test a different OS support boundary.
Verify Notary PKCS#11 runtime libraries, CA roots, non-root behavior, permissions, and readiness on the chosen base.
Verify Relay non-root runtime files, CA roots, worker execution, and readiness on the chosen base.
Rebuild with the release workflow, produce SBOM and Grype evidence, address every fixable finding, and record reachability decisions for remaining High/Critical findings without claiming zero CVEs.
Run the maintained Registry Stack image checks and the standalone Solmara implementer smoke with one Notary per Relay authority.
Document the supported runtime-base lifecycle and digest-refresh expectation for implementers and release operators.
Context
Registry Stack release and product Dockerfiles currently pin Debian 12 Bookworm or Distroless Debian 12 images. Debian transferred Bookworm from regular security support to LTS in July 2026 and recommends Debian 13 where possible. Grype 0.114.0 consequently warns that Debian 12 vulnerability data may be incomplete or outdated.
The beta-12 source-candidate scan also found one fixable Medium finding in the pinned Bookworm base (
liblzma55.4.1-1, fixed by 5.4.1-1+deb12u1). Current Bookworm images contain the fix, but the pinned release base predates it. The reported High/Critical Bookworm findings had no fixed Bookworm package in the scan and require normal reachability/issuer triage rather than a zero-CVE claim.This does not block publishing a candidly evidenced beta, but the 1.0 runtime and scanner support boundary should be unambiguous.
Official lifecycle notice: https://www.debian.org/News/2026/20260712
Acceptance
Non-goals