-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rebuilding the image only when there is a new version #138
Comments
That's not enough. |
But is it really necessary to rebuild old version images that aren't really used anymore and stay only as archival versions? This is not some typical government software that has a high risk of attack, if there is an exploit on a base image, you can rebuild everything manually. |
Yes it is necessary, no it is not ok to leave things in the repo which are vulnerable to known CVEs. Why do you care if an older version gets bumped? |
Also, what do you consider old archived images? As far as I can tell the rebuild applied to the "latest" label plus the latest major release which is a sensible thing to rebuild |
Because in that case the watchtower pull the new version of the same container and restarts my thelounge instance.
But in that case the automatic update will not work.
You're right, I didn't notice it, I looked at the tag :4 and thought previous versions are built automatically too. Also, shouldn't the :latest tag be the last production version as it is done in other popular containers? |
You absolutely should pull in the new container when the base image updates, else you're running an insecure version. That's the whole point of automatic updates.
Both ways have merits, not my choice and not really related to the issue at hand |
Hello!
Ah yeah I was a bit worried this would end up happening. Just out of curiosity, when you say many people, how many are we talking about and where did you gather this data?
The reason for rebuilding and republishing the latest image versions is to harden them. There are primarily two vectors to keep in mind:
I'd be fine with not doing this and just building fresh images whenever there's a new release upstream, but it's important to consider the lifecycle of TL's releases. A release may remain "latest" for a very long time (roughly counting 4.2.0 -> 4.3.0 took 15 months, for example).
The I'd be OK with not rebuilding on a scheduled basis but only when there's a reason that warrants a rebuild (for example flagged CVEs). I won't have the time to look into figuring out the best way to do this, but PRs are always welcomed. |
From thelounge IRC channel. These are not hundreds of people, but rather several. But probably many people do not know about this possibility, so one day we could add to the documentation information about the auto pull of the image through the watchtower.
You are right about that. I didn't think it through.
In that case, I will look for what options we have available so that the container will be built when CVE is detected in the base image. |
Keep it simple and stupid, just update whenever the base image updates or TL releases. No need to look for CVEs |
Yeah I think this is a good start.
I think it'd be nice to capture CVEs flagged in any of the installed node dependencies, don't you think? |
Considering the version pins that wouldn't do anything for this repo and on the main thelounge one it is already tracked (dependabot) assuming you mean the npm deps of TL |
and the whole node installation is supposed to be managed by the base image layer, including deps node itself uses |
You are right. As it is done now, it is correct. It makes no sense to look for any other option. |
I just saw that thelounge pins the dependency versions in |
yeah well, looking at https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ and similar happy events, allowing patch releases without vetting is bound to end in tears |
Recently a cron has been added which rebuilds the image once a week:
thelounge-docker/.github/workflows/docker-image-push.yml
Line 5 in 8d1cfb8
As a result, many people who updated the container automatically with the watchtower had to disable it or their instance will be restarted once a week..
Maybe a better solution would be to rebuild the :latest image and build the image with the new version only when the new version is added to thelounge/thelounge repository?
An example of how this can be done is described HERE or HERE.
The text was updated successfully, but these errors were encountered: