this post was submitted on 25 Feb 2026
9 points (90.9% liked)

Debian

1204 readers
32 users here now

❤️ Debian

Rules

founded 2 years ago
MODERATORS
 

It's a bit strange how The Debian Way recommends installing software from the official repository, but not in the case of a crucial program like Docker.

top 10 comments
sorted by: hot top controversial new old
[–] slazer2au@lemmy.world 6 points 2 days ago (2 children)

Debian repo of docker is a couple versions behind.

The current official release is 29.2.1
While the Debian repo is 26.1.5

There are security issues that have been patched since 26.1.5 was released in 2024.

3 of them allows for container escape which you don't want.

[–] moonpiedumplings@programming.dev 8 points 2 days ago* (last edited 2 days ago)

Please don't use the versions to analyze if debian's docker has security issues.

Debian has a model of taking a version of a package, and then only doing security updates to it, no feature updates or even noncritical bugfixes, to ensure maximum compatibility. Like most stable release distros, they use their own versioning scheme, usually appending extra numbers. The actual version of docker in use is 26.1.5+dfsg1-9 - the stuff after the dash indicating extra updates. https://packages.debian.org/stable/docker.io

If you visit the debian security tracker, you will see that docker.io is not included in the list of currently vulnerable packages: https://security-tracker.debian.org/tracker/status/release/stable

[–] alonsohmtz@feddit.uk 5 points 2 days ago (2 children)

Thanks. I thought Debian was supposed to include security updates.

They do. The person you are replying to is wrong.

[–] slazer2au@lemmy.world 4 points 2 days ago

They do backport some but can't for every package.

[–] moonpiedumplings@programming.dev 3 points 2 days ago* (last edited 2 days ago)

Because it's not an official piece of documentation and doesn't actually represent best practices.

https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian

I generally prefer to get docker.io from Debian's official repos because it's the fastest and easiest way to do it. Yes, debian's policy of only doing security or critical bugfixes to packages (and no minor bugfixes or new features) means it's an oldee version of docker, but there is nothing I particularly need from a newer docker that makes me care.

I do care about new features in Incus, a virtualization manager so I happily throw best practices out the window to add their repository to my debian server. The repo also packages the Incus web UI, whereas debian repos do not. But unless you have a need to deviate I would recommend following best practices. The more you interact with software the way developers expect you to interact with it, the smoother your experience will be and you will run into less issues in the long run.

[–] SpaceNoodle@lemmy.world 3 points 2 days ago (2 children)

Docker is far from crucial.

[–] hitmyspot@aussie.zone 3 points 2 days ago (1 children)

Depends who you ask. For someone running lots of containers, it’s pretty crucial.

[–] vegetaaaaaaa@lemmy.world 1 points 1 day ago* (last edited 1 day ago)

There are better alternatives, podman is daemonless and rootless by default, comes with a docker-compatible CLI, and far better container network implementations. It is also provided as stable/LTS package in Debian repositories so you won't have to upgrade your container runtime every 2 days (causing downtime), like running the upstream Docker package does.

The only reason to keep using Docker nowadays is if you have a lot of legacy apps that depend on Docker-specific features (e.g. require rootful containers). For most workflows it is a matter of alias docker=podman. If you use docker-compose, you do need to port your setup to podman quadlets, or systemd-managed containers though. For me it was worth it.

[–] RickyRigatoni@piefed.zip -1 points 2 days ago

Debian is used as a server distro by a huge amount of people and many services are released as docker containers if debian doesn't consider docker crucial they are as outdated and delusional as it is written in the memes.