❤️ Debian
Rules
Debian repo of docker is a couple versions behind.
The current official release is 29.2.1
While the Debian repo is 26.1.5
There are security issues that have been patched since 26.1.5 was released in 2024.
3 of them allows for container escape which you don't want.
Please don't use the versions to analyze if debian's docker has security issues.
Debian has a model of taking a version of a package, and then only doing security updates to it, no feature updates or even noncritical bugfixes, to ensure maximum compatibility. Like most stable release distros, they use their own versioning scheme, usually appending extra numbers. The actual version of docker in use is 26.1.5+dfsg1-9 - the stuff after the dash indicating extra updates. https://packages.debian.org/stable/docker.io
If you visit the debian security tracker, you will see that docker.io is not included in the list of currently vulnerable packages: https://security-tracker.debian.org/tracker/status/release/stable
Thanks. I thought Debian was supposed to include security updates.
They do. The person you are replying to is wrong.
They do backport some but can't for every package.
Because it's not an official piece of documentation and doesn't actually represent best practices.
https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian
I generally prefer to get docker.io from Debian's official repos because it's the fastest and easiest way to do it. Yes, debian's policy of only doing security or critical bugfixes to packages (and no minor bugfixes or new features) means it's an oldee version of docker, but there is nothing I particularly need from a newer docker that makes me care.
I do care about new features in Incus, a virtualization manager so I happily throw best practices out the window to add their repository to my debian server. The repo also packages the Incus web UI, whereas debian repos do not. But unless you have a need to deviate I would recommend following best practices. The more you interact with software the way developers expect you to interact with it, the smoother your experience will be and you will run into less issues in the long run.
Docker is far from crucial.
Depends who you ask. For someone running lots of containers, it’s pretty crucial.
There are better alternatives, podman is daemonless and rootless by default, comes with a docker-compatible CLI, and far better container network implementations. It is also provided as stable/LTS package in Debian repositories so you won't have to upgrade your container runtime every 2 days (causing downtime), like running the upstream Docker package does.
The only reason to keep using Docker nowadays is if you have a lot of legacy apps that depend on Docker-specific features (e.g. require rootful containers). For most workflows it is a matter of alias docker=podman. If you use docker-compose, you do need to port your setup to podman quadlets, or systemd-managed containers though. For me it was worth it.
Debian is used as a server distro by a huge amount of people and many services are released as docker containers if debian doesn't consider docker crucial they are as outdated and delusional as it is written in the memes.