About Minimus
Daily security updates
Understand the Minimus release cycle for packages and images
Daily security updates
For every image line, the most recent version is actively maintained by Minimus. This means Minimus builds the most recent image version within every image line every time there is an update in any of the internal packages or their dependencies. Once a new version is published in an image line, active maintenance is transferred to the new version. See architecture For example, nginx is typically released every 2 months (ref). Between these releases, new CVEs are discovered and fixed in internal packages used by the nginx image which can be updated more often. Since Minimus updates all packages daily, security patches are immediately delivered to its users.Package release cycle
Minimus builds packages on a rolling basis, as soon as an update is available upstream. If a new package version fixes a vulnerability, the advisory status will be changed to fixed as soon as the package is fixed. Affected images will show as pending image build until the daily image build cycle completes and the new fixed version is released by Minimus.Image release cycle
Minimus builds images once a day. Minimus actively maintains the last version in every image line. For example, in August 2025, 4 Python image lines were being actively maintained: 3.13, 3.12, 3.11, and 3.10.
- Version
3.10.17was maintained until June 3 2025. Maintenance of version3.10.17ended with the release of version3.10.18. As a result, the packages in the image are fixed and vulnerabilities are accrued. In this example,3.10.17-devhas many vulnerabilities and even an active exploit - indicating that users should upgrade to a newer version as soon as possible. - Version
3.10.18, the latest version in the image line, is actively maintained with new daily builds and package updates. Version3.10.18was first released on June 4 2025 (the earliest digest and timestamp) and was rebuilt many times with package updates to keep the image fresh and the vulnerability count as low as possible.
Same image version tag, different SBOMs
When an image is rebuilt without a change in the image version tag, it means there is at least one package update. When an image version is rebuilt and added to the digest history, it has a different image SBOM, digest, timestamp tag, and possibly vulnerability report. The image is functionally the same, but the non-primary packages under the hood can differ. The image version tag is determined by the version of the primary package (e.g. nginx in the nginx image, package python-3.13 in the Python image, and so forth). Other packages in the image are updated by Minimus on a daily basis, in keeping with the package and image release cycle.Unique timestamp tag
The unique timestamp tag can help you easily tell apart different builds for the same image version and reliably pull the most recent build for a specific version. The timestamp tag is much like an image digest, only friendlier and human-readable.
elasticsearch:8.17.2-dev-202503040032is the tag for the Elasticsearch image version8.117.2built on March 4, 2025 at 00:32 UTC.nginx:1.27.4-202503070038is the tag for the NGINX image version1.27.4built on March 7, 2025 at 00:38 UTC.