# Clean PostgreSQL Image

**Purpose**: Build PostgreSQL from official Debian repositories to avoid compromised Docker Hub images.

## Why This Exists

Multiple PostgreSQL images from Docker Hub were found to be compromised with cryptocurrency miners:
- `postgres:15-alpine` - Incident #3
- `postgres:16-alpine` - Incident #4  
- `postgres:14` - Incident #5

This image is built from scratch using only official PostgreSQL APT repositories.

## Build

```bash
cd docker/postgres-clean
docker build -t daarion-postgres:16-clean .
```

## Verify Build

```bash
# Check no suspicious files
docker run --rm daarion-postgres:16-clean find /tmp -type f -executable

# Check process tree during startup
docker run -d --name test-pg -e POSTGRES_PASSWORD=test daarion-postgres:16-clean
sleep 10
docker exec test-pg ps aux
docker stop test-pg && docker rm test-pg
```

## Usage

Replace in `docker-compose.db.yml`:

```yaml
db:
  # image: postgres:16-alpine  # COMPROMISED
  image: daarion-postgres:16-clean
  # ... rest of config
```

## Security Notes

- Built from Debian official repositories only
- Minimal dependencies
- Simplified entrypoint script (no suspicious code)
- No hidden binaries or scripts
- All code is readable and auditable

## Maintenance

To update PostgreSQL version:
1. Edit `Dockerfile`: Update `PG_VERSION`
2. Rebuild image
3. Test thoroughly before deploying