search

blue-build / cli

BlueBuild's command line program that builds custom Fedora Atomic images based on your recipe.yml
https://blue-build.org/
Apache License 2.0
75 stars 9 forks source link

Only include yq in the resulting image when modules require it at runtime #261

Open RoyalOughtness opened 4 days ago

RoyalOughtness commented 4 days ago

Currently, all images built with bluebuild will include yq, regardless of whether they need it.

$ rpm -q --whatprovides /usr/bin/yq
file /usr/bin/yq is not owned by any package

yq consistently lags behind on golang versions, meaning it triggers a number of trivy findings if included. So ideally, it would only be included in images that require it at runtime.

xynydev commented 3 days ago

I would rather just https://github.com/blue-build/cli/issues/216

default-flatpaks I think is currently the only module that requires yq at runtime (@fiftydinar can fact-check me on that)

Refactoring modules to not need yq, removing it completely, and adding Nushell (at least for some of the more complex modules) is part of the plan that I started the discussion for here: https://github.com/blue-build/cli/issues/257

Depending on which approach is chosen for including Nushell, conditionally including yq could be implemented the same way.

yq is currently part of stage-bins, so making that conditional could require some static analysis that might not be required with a more elegant refactoring https://github.com/blue-build/cli/blob/c774a80f5918f1fc4c30bb7e6464ba81977defe3/template/templates/stages.j2#L28

fiftydinar commented 3 days ago

I would rather just https://github.com/blue-build/cli/issues/216

I agree.

However, @RoyalOughtness might consider this move as adding additional attack surface, since bash already exists. I would like to know his opinion on this regarding security.

We'll likely only install nushell when necessary, like you mentioned.

default-flatpaks I think is currently the only module that requires yq at runtime (@fiftydinar can fact-check me on that)

Yes, that's correct.

xynydev commented 3 days ago

adding additional attack surface, since bash already exists

True. Nushell is probably alright regarding security (based on vibes alone) and I wouldn't imagine it having a similar issue as yq with Golang versions (since it's in Rust lol, but also Rust has better backwards compatibility I think).