[Rkt](https://coreos.com/rkt) doesn't allow ports to be exposed to containers unless they are declared in the container manifest. Re-adding EXPOSE back in (removed in 1dbf993bce) allows the container to be used on rkt based systems.
- Always run apt update before any other apt command. (This fixes
incremental builds failing if a remote package is updated.)
- Only copy dependency lists before installing dependencies. (This means
editing code doesn't force all dependencies to be re-downloaded.)
- Delete cache in the same layer that it is created. (Otherwise,
deleting cache *increases* the size of the image on non-squashed
- Move the installation of some static dependencies to *before* Mastodon
code is imported to Docker.
> This release includes some bug fixes and some security fixes.
> - CVE-2017-17742: HTTP response splitting in WEBrick
> - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
> - CVE-2018-8777: DoS by large request in WEBrick
> - CVE-2018-8778: Buffer under-read in String#unpack
> - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
> - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
> - Multiple vulnerabilities in RubyGems