Beginning on March 1, 2017, Pivotal Cloud Foundry buildpacks will be updated monthly with each elastic runtime release. This will make sure buildpacks stay up to date with security vulnerabilities, bug fixes, and new features. See below for more details.
Buildpack Update Information
In order to distribute buildpack security and bug fixes more quickly, simplify buildpack maintenance, and ensure platform components are compatible with buildpack updates, Pivotal is changing how buildpack updates are distributed to customers. This new approach is simpler for PCF operators and has fewer steps required to keep the platform up to date.
Currently, the buildpacks that are automatically deployed with PCF Elastic Runtime are only updated in minor releases of Elastic Runtime. This means that deploying Elastic Runtime 1.9.2 currently replaces your system buildpacks with the same buildpack versions that shipped with Elastic Runtime 1.9.0.
After March 1, 2017, new monthly patch releases of Elastic Runtime 1.8 and 1.9 will include the latest available versions of their included buildpacks. Furthermore, if a critical security vulnerability is discovered that affects a buildpack included with Elastic Runtime, an Elastic Runtime patch release will be created immediately after the vulnerability is addressed in the buildpack.
Best Practices for Buildpacks
Moving forward, we recommend that customers use Elastic Runtime patch releases to keep their buildpacks updated. This means that we no longer recommend modifying the buildpacks that are included with Elastic Runtime. This allows us to make stronger guarantees about the compatibility between the included buildpacks and your PCF deployment.
Please ensure that the buildpacks are not locked before upgrading to the latest elastic runtime release. This can be verified by running `cf buildpacks` and reviewing the `locked` column in the output. If there are locked buildpacks please use the instructions here to modify the locked value to false.
We believe that buildpacks should always be kept up-to-date to mitigate any security issues with running old versions of the technology runtimes provided with the buildpacks. That said, we realize that some customers may not want the buildpacks included with Elastic Runtime to be updated this frequently. Although it is not recommended, old buildpacks may be added to your PCF installation with different names to avoid replacement when Elastic Runtime is updated.
Buildpacks for Legacy Elastic Runtime Releases
Customers that are using elastic runtime releases prior to March 1, 2017 will be required to update buildpacks manually which has been the normal process. Notes on managing buildpacks for these older elastic runtime releases can be found in this article.
Please reach out to Pivotal Support if you have any questions about this change.