I removed the left-over Fail2Ban ARGs from Dockerfile too :)

I would like to stick with the official debian package from fail2ban

Do you mind if we bring that back in a follow-up PR that is introduced as a separate stage?

While we at it, don't we want to use the most recent dovecot version too?

Likewise, I don't mind this if we keep everything required to support it as a separate stage.

This way the changes between switching from the Debian package manager to pulling in external packages to support has cleaner history of changes.

Eventually, I'd like to evaluate using/supporting a different base image such as Alpine, so keeping such changes isolated is helpful.

I would like to stick with the official debian package from fail2ban. This way we ensure, to get the latest version (also in the future, when Debian might stick with an older version as happen in the past).

I don't quiet get that. With this PR, we're basically using apt-get install fail2ban - this is what I understand as "the official Debian package". Could you elaborate, please?:)

this is what I understand as "the official Debian package". Could you elaborate, please?:)

I think he was referring to the .deb release from the official Github releases? (aka FAIL2BAN_DEB_URL that was used to pull the release).

There's not been a new release for sometime since though, and the next Debian release (expected around mid 2023?) may not get it (depending on if a release happens before the cutoff point for Debian). There is over 350 commits of updates since 11.2 release, so if that happens we may have to install from Github releases again, instead of just the fail2ban package (currently the latest 11.2 release).

I'm not fussed either way, but if we don't use the package, it should be contained in it's own stage. @casperklein could contribute that after this PR is merged?

CI seems to be working as expected with #2753 🎉 (This will now save 13 min on every PR check due to the ARM image being build in parallel 👍🏼)

TL;DR: I don't have a strong enough opinion about the fail2ban decision. I'd rather see this PR get resolved, whatever makes that easier to happen is fine by me.

Serious question: Is this really worth it? IMO, this should be in the new introduced packages.sh and handled there.

I was preferring a separate stage because it interested me in building an image without fail2ban, or being able to change the base image to something like alpine where .deb would not be supported.

This would apply for pretty much anything in packages.sh though, and I don't have a strong need for fail2ban being isolated (it'd be more work beyond this since we have other support in scripts related to it, and tbh I doubt I'll find the time).

I'm fine with it being maintained in packages.sh as it's own function call 👍

Dockerfile is also fine, but it seems like a bunch of extra noise for something that is just a package. Upstream has had many commits, but I haven't seen a release in a while.

I don't know when a new release of f2b will happen or how important that is to the users of our image.

We could do the same for dovecot and postfix and whatever other packages too, but how many users need it, and if they do is Debian the right choice for a base image, or is something that updates packages more frequently like Alpine better? (I'm sure it has it's own share of problems too)

As a maintainer, what I care most about (and for any future maintainers if we're lucky), is that we have something well organized and scoped.

I'd like to say it'd be a git blame away, but we all know how frustrating that can be to track down the original PR for something to get more context on why the project chose to do something, and what in the project is related to a feature/change (@georglauterbach for example originally wanted to mix in changes for rspamd into this PR, which would contribute to the problem)

Okay, alright :)

Next week, I will tackle the cache issue in our CI and take care of the Fail2Ban concern raised here.

Not sure if I understand you correctly. Are you going to adjust this PR or merge it soon? If the later one, I'll provide a follow up with f2b included in packages.sh and optional if there is consensus also with Dovecot.

Not sure if I understand you correctly. Are you going to adjust this PR or merge it soon? If the later one, I'll provide a follow up with f2b included in packages.sh and optional if there is consensus also with Dovecot.

I was about to do the former, but if you want to do the latter, I won't hinder you. I will need to resolve conflicts in either way. Adding the Dovecot package via .deb files seems like a good idea, so maybe a follow-up is a good idea after all (especially since the changes would be more coherent then)?

I'll provide a follow up with f2b included in packages.sh and optional if there is consensus also with Dovecot.

👍 for adding Dovecot. I would appreciate if both f2b and dovecot live in their own separate function calls in packages.sh though if not too much trouble. Just a preference though, approach it however you like :)

@casperklein which way do you prefer? Shall I integrate the changes into this PR or shall I or will you do a follow up PR? I prefer a follow-up 🙈

Follow up 👍

Follow up 👍

👍 Then I will provide a follow up. I will resolve conflicts for this PR on Monday and then we can merge this :)

I meant, I'll provide a follow up. I've already something prepared 😉

I meant, I'll provide a follow up. I've already something prepared 😉

Very nice 🚀

I resolved the merge conflicts and updated the docker/build-push action so that the version used across our repository is the same everywhere.

There's not been a new release for sometime since though

Boom, there it is 🚀

I bet, that the time will come when Debian again will offer not the latest version of f2b. Especially with security related software, I prefer the latest version with it's features.

Ok, I didn't expect the release to happen that soon after making such a statement 😆 😅

That just leaves postsrsd (which has been fixed quickly after reporting the bug) for the ulimit issue.