
Alpine Linux 3.9.0 Released - _ikke_
https://alpinelinux.org/posts/Alpine-3.9.0-released.html
======
jakobgm
Great!

Especially happy to see Tesseract OCR v4.0 [0] now being in the mainline
repository. Tesseract was the main motivation for changing my web stack to
docker a couple of weeks ago, and I had to use a separate builder image [1] in
Alpine 3.8. Now it is just:

> apk add tesseract-ocr

[0]
[https://pkgs.alpinelinux.org/package/v3.9/community/armhf/te...](https://pkgs.alpinelinux.org/package/v3.9/community/armhf/tesseract-
ocr)

[1] [https://hub.docker.com/r/inetsoftware/alpine-
tesseract/](https://hub.docker.com/r/inetsoftware/alpine-tesseract/)

------
jillesvangurp
I'm curious to know why they switched back to openssl from libressl. Are there
compatibility issues or have the issues that caused libressl to be created
been addressed now in openssl?

~~~
_ikke_
This post[0] contains some of the reasons:

    
    
      - better upstream support from projects 
      - To my understanding, various of the issues in OpenSSL
        that made us switch to libressl have been resolved.
        (for example memory management) 
      - libressl failed to retain compability with OpenSSL 
      - libressl breaks ABI every 6 months, OpenSSL does not 
      - FIPS support
    

[0]:[http://lists.alpinelinux.org/alpine-
devel/6308.html](http://lists.alpinelinux.org/alpine-devel/6308.html)

~~~
viraptor
It sounds weird that FIPS is relevant to Alpine. They're not going through the
certification process, so does it matter?

~~~
Nursie
There are situations where you want to be able to say you're using a FIPS
certified crypto library, but that you're not going to get the whole thing
certified.

I went through that with an IBM product I was working on years ago. It
involved taking out any crypto implementations already in the code (I believe
we had a reference DES implementation doing something with passwords) and
switching to FIPS certified TLS libs. At the end we got to say we were FIPS
compliant (NOT certified), which was important for some government contract or
other.

~~~
windexh8er
Also interesting is that the PCI SSC is now recommending FIPS 140-2. While not
likely relevant to the decision in Alpine, it may be relevant downstream with
regard to choosing Alpine to develop on.

PCI Standards Security Council - Secure Software Standards v1.0 (Jan 2019)
[https://www.pcisecuritystandards.org/document_library?catego...](https://www.pcisecuritystandards.org/document_library?category=sware_sec#results)

~~~
Nursie
Oh interesting. That said I've only ever taken devices through PCI-PTS, not
worked on PCI compliant software so I have no idea how much of a departure
this is from common practice.

The one thing that would concern me about widespread adoption of FIPS-
certified tech is that (IIRC) FIPS 140-2 essentially forbids PFS modes
(DH/DHE) on TLS, presumably for traffic audit purposes in secure government
environments.

------
hestefisk
From the web site: “ container requires no more than 8 MB and a minimal
installation to disk requires around 130 MB of storage. Not only do you get a
fully-fledged Linux environment but a large selection of packages from the
repository.”

I remember in 1997 when I could boot Linux off a 1.44MB floppy and get a fully
a fully functioning Linux environment even with network support in a blitz. If
130MB is considered “lean”, what happened to our Unix principles of minimalism
and clean design?

~~~
agumonkey
Let's get realistic, 130MB is in the lowest for ~modern linux. I'd love to
have 1.44MB OS too, deeply, but 8-130 is lean for 2010s standards

~~~
throwaway2048
OpenBSD's installer fits on a 1.44MB floppy, and that includes network
connectivity.

~~~
wibble10
miniroot.fs is >4mb for 6.4 last time I checked...

~~~
throwaway2048
there are multiple install options, floppy64.fs is 1.4MB

------
fuzzy2
Just out of curiosity:

> Firefox is only available on x86_64 due to Rust.

Could someone explain the reasoning behind this? I’m not familiar with
whatever restrictions Rust may impose.

~~~
_ikke_
The issue is porting Rust to other architectures, which is not trivial. Work
is being done to get there, just not in time for v3.9.

~~~
inferiorhuman
Huh? Linux on arm, i686, mips, ppc all have rustup installers. I'm not sure if
that formally makes them "Tier 1" platforms but it does mean that they're
pretty darn well supported by rust. Are the Alpine folks having problems
because they're not using GNU libc?

~~~
wyldfire
The challenge might be bootstrapping. rustc makes a habit of capitalizing on
just-introduced features, and they only require that you have the prior
release. So to build rustc 1.x, you have to build 1.(x-1) first.

Also -- packaging. rustup might be available but the distros generally prefer
their own native packaging system.

~~~
steveklabnik
When bootstrapping a new arch, you usually cross-compile to get it working.
This means that you don't need to build all of those builds. If you want to
start a new bootstrap chain, which is what most distros have done, you do this
once and then go from there as new releases come out.

------
sevensor
How suitable is Alpine as a desktop distribution? It seems like a low-GNU
distribution with an emphaisis on static linkage. Is that a correct
assessment? I'm very happy with Arch, I stopped my distro-hopping six years
ago when I landed on it, but I worry that I'm getting complacent because Arch
is just so easy to use.

~~~
sdfasdslk
Static linkage is a beautiful prospect, beckoning with promises of less time
in dependency hell.

~~~
pjmlp
As someone that lived through the introduction of dynamic linking and
threading into UNIX, it is kind of ironic to see the return to the past being
celebrated with joy.

~~~
fao_
Dynamic Linking was actually heralded _against_ by many of the foundational
minds of UNIX. Because the flaws outweight the benefits. Do not quote me on
this, but IIRC Plan9 does not have dynamic linking for this very reason.

[http://harmful.cat-v.org/software/dynamic-
linking/](http://harmful.cat-v.org/software/dynamic-linking/)

~~~
pjmlp
Plan 9 was a middle step for Inferno, the OS HNers keep forgetting about.

Dynamic linking is everywhere on Inferno, implemented by the same Rob Pike of
that email thread.

Also many seem unaware that Go supports dynamic linking for a couple of
versions already. The only thing missing is building plugin libraries on
Windows.

~~~
fao_
> Plan 9 was a middle step for Inferno, the OS HNers keep forgetting about.

I am aware of Inferno.

Also, the irony in talking about "HNers" as an Other, when you yourself are,
to me, a random HNer. It's like an Anon implicitly complaining about an Anon,
rather amusing.

> Dynamic linking is everywhere on Inferno, implemented by the same Rob Pike
> of that email thread.

Sure, but (if I remember correctly) Inferno also is written on/as a virtual
machine. Inferno had rather different aims compared to most "UNIX" systems,
whereas Plan 9 was a unification and generalization of the "UNIX" paradigm.

Windows NT (Or was it DOS) was built, in part, off of UNIX. That doesn't mean
that we should look to Windows NT as an ideal UNIX system, because the design
considerations are different, and the aims of the system are different.

> Also many seem unaware that Go supports dynamic linking for a couple of
> versions already.

Sure, that's not to say there wasn't a huge amount of debate around that. I
believe in the end it was more or less agreed that language uptake was more
important in this case, but I could be wrong. Regardless, if one is properly
appraised of the debate around Go supporting dynamic linking, you can find
Uriel, et al. have some solid arguments _against_ dynamic linking.

------
Leace
> Switch from LibreSSL to OpenSSL

Glad that this happened. OpenSSL looks a lot better than when the entire drama
started and it was quite hard to even build OpenSSL from source on alpine.

------
artellectual
Much awaited release. I've been running my entire application line up on
Alpine it's been awesome! I wish more Cloud / Hosting providers have default
Alpine Images. I've been using alpine's APK packaging system to manage
software builds and release cycles.

So for those who are curious my CI builds the software into packages
automatically versioning them and marking the build versions, storing the
packages in my GCS bucket and then automatically runs apk add --upgrade on my
package. All orchestrated with Terraform and LXD, no docker / Kubernetes
involved whatsoever. Now there is also apk-autoupdate which I look forward to
exploring and seeing how it can simplify my build process.

------
hendry
Wonder why they use grub over the simpler syslinux option?

~~~
wener
Alpine use syslinux,will use grub if you install with uefi enabled flag.

~~~
hendry
syslinux supports UEFI I think:
[https://www.syslinux.org/wiki/index.php?title=Install#UEFI](https://www.syslinux.org/wiki/index.php?title=Install#UEFI)

So I wonder what is the rationale for using Grub for bootloading UEFI systems.

------
tracker1
Probably my favorite distro for dockerizing apps that need more OS. 130mb
isn't exactly tiny, but it's a lot smaller than other more common options.

I'll sometimes do builds in a larger distro (debian or ubuntu server), then
deploy into alpine.

------
ksec
Just wondering how many are using Alpine in Production? I have heard problems
of LibreSSL ( no longer matters ) and muslc. But no one has came out and state
they are using it happily in production on X number of Servers.

~~~
tpxl
My company is using Alpine on (at least) 6 kubernetes nodes in production. I'm
happy with it so far, but we're just running a java app (albeit high traffic).

------
oweiler
No Docker image yet?

[https://hub.docker.com/_/alpine](https://hub.docker.com/_/alpine)

~~~
r6by
Follow Glider Labs GitHub Docker Alpine issue:
[https://github.com/gliderlabs/docker-
alpine/issues/480](https://github.com/gliderlabs/docker-alpine/issues/480)

------
rcarmo
This great. I recently filed an issue to upgrade smokeping, and it's now
closed. :)

------
g33k247
Has anyone used this on an RPI? What was your use case?

~~~
Human_USB
I use it on an rPi and _LOVE_ it. The system will boot quickly, and unless I
`ibu`, I just reboot to clear my changes.

I use the rPi for dnscrypt-proxy2.

------
w323898
Still no EFI install media?

