Add known to the official list of docker images

[pierreozoux]

Hi!

Did you ever consider putting known on the official docker images list?

https://github.com/docker-library/official-images/tree/master/library

If you are interested, I can PR a Dockerfile, and then we can work together to make it official :) I saw the community work, but:

• it is not maintained
• it has 2 processes in the same container (web server, application server)

Tell me what you think!

Best!

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[benwerd]

I think that would be amazing!!

[pierreozoux]

What I need to start the project:

• [ ] a repo known/docker-known
• [x] a cryptographically signed build (not absolutely necessary, but a lot better) (I searched for it, didn't find it)

Thanks :)

[paulcmal]

a cryptographically signed build

This is a very good idea, whether for Docker or not.

Regarding the Docker integration, we could have a basic Docker image for Known, and Docker Compose recipes for each supported web server. For instance known-apache/nginx linking apache/nginx to php-fpm and Known.

This would make it easier to support different web servers, as each could have different dependencies and specific configurations.

What do you think?

[pierreozoux]

@paulcmal nice to see some interest :)

It is actually already ready!

https://github.com/indiehosters/known

Love to hear your feedback :)

[paulcmal]

@pierreozoux Thank you, it looks great!!

So we're down to the cryptographic signature of the code, right? Any idea @benwerd?

[pierreozoux]

the cryptographic signature is not a hard requirement. We can publish without. It is up to us to decide.

[mapkyca]

The signature would be a good thing to have anyway, see discussion on #1073

[benwerd]

Sorry I was behind on this thread. Is there a recommended way to create a cryptographically signed package? 0.9 is coming out this month and we should support this.

[pierreozoux]

It is like email encryption actually. I don't know if you are familiar or not, but if not and interrestd by the topic, here there is a good guide: https://emailselfdefense.fsf.org/en/

I don't know what is the "recommended" way for packages but the 2 I know are doing like this:

• generate a key for an email address (could be for build@withknown.com )
• publish this key on a public server, like ha.pool.sks-keyservers.net
• use gpg to sign your file
• upload the signature next to the package like: http://assets.withknown.com/releases/known-0.8.5.zip.asc

And then we could do something like that: https://github.com/piwik/docker-piwik/blob/master/Dockerfile#L30

Anf for the cherry on top, you publish a warrant canary: https://www.canarywatch.org/

Then we know that nobody forced you to sign a specifically crafted package to snoop in our servers :)

Tell me if you need further assistance!

On 12-01-2016 18:30, Ben Werdmuller wrote:

Sorry I was behind on this thread. Is there a recommended way to create a cryptographically signed package? 0.9 is coming out this month and we should support this.

---

Reply to this email directly or view it on GitHub: https://github.com/idno/Known/issues/1054#issuecomment-171003804

I use PGP to protect our privacy, if you want to know more, you can follow this https://emailselfdefense.fsf.org/en/

If you have further questions, please do not hesitate to ask. You can verify my public key here: https://keybase.io/pierreozoux

[benwerd]

This is awesome, and we will do it for 0.9.

[mapkyca]

Worth doing #1073 (distributing over HTTPS) as well.

[mapkyca]

... because it's 2016, and HTTP has officially been deprecated ;)

[benwerd]

Known 0.9.0.1 has just been released on withknown.com, with an announcement to follow.

• The key for hello@withknown.com has been uploaded to hkps://hkps.pool.sks-keyservers.net
• Each of known-0.9.0.1.zip, known-0.9.0.1.tgz and known-latest.zip now have a GPG signature, which can be found by appending .sig. We'll add this to our website too.

The way we're using S3 doesn't support TLS for hosted resources, which is daft, so we're going to be fixing that and serving them another way. But for now it's still HTTP.

[mapkyca]

Coolio; to confirm that's fingerprint : 53DE 5B99 2244 9132 8B92 7516 052D B5AC 742E 3B47 ?

On Tue, Feb 02, 2016 at 09:15:19AM -0800, Ben Werdmuller wrote:

Date: Tue, 02 Feb 2016 09:15:19 -0800 From: Ben Werdmuller notifications@github.com To: idno/Known Known@noreply.github.com Cc: Marcus Povey marcus@dushka.co.uk Subject: Re: [Known] Add known to the official list of docker images (#1054)

Known 0.9.0.1 has just been released on withknown.com, with an announcement to follow.

• The key for hello@withknown.com has been uploaded to hkps://hkps.pool.sks-keyservers.net
• Each of known-0.9.0.1.zip, known-0.9.0.1.tgz and known-latest.zip now have a GPG signature, which can be found by appending .sig. We'll add this to our website too.

The way we're using S3 doesn't support TLS for hosted resources, which is daft, so we're going to be fixing that and serving them another way. But for now it's still HTTP.

---

Reply to this email directly or view it on GitHub: https://github.com/idno/Known/issues/1054#issuecomment-178695162

[benwerd]

That's correct.

[mapkyca]

So long as the fingerprint of the signing key is published, and distributed via HTTPS, the fact that the download isn't is not absolutely terrible. Verification of the binary via the signing key should prevent tampering, however most folk won't do this, so you should still distribute via HTTPS.

(Oh, and it goes without saying you have decent OpSec procedures around your signing key... don't for example keep it on an internet connected machine, and certainly not your production server. You should also rotate keys fairly regularly)

[benwerd]

We don't have any airgapped machines at present, and don't foresee running any, so I'll take that last one under advisory ...

On Wed, Feb 3, 2016 at 1:37 AM, Marcus Povey notifications@github.com wrote:

https://github.com/idno/Known/issues/1054So long as the fingerprint of the signing key is published, and distributed via HTTPS, the fact that the download isn't is not absolutely terrible. Verification of the binary via the signing key should prevent tampering, however most folk won't do this, so you should still distribute via HTTPS.

(Oh, and it goes without saying you have decent OpSec procedures around your signing key... don't for example keep it on an internet connected machine, and certainly not your production server. You should also rotate keys fairly regularly)

— Reply to this email directly or view it on GitHub https://github.com/idno/Known/issues/1054#issuecomment-179124965.

Ben Werdmuller http://goog_1933028737 benwerd.com | werd.io

+1 (312) 488-9373

[mapkyca]

A workaround might be to keep the signing key on a pen drive and in a firesafe (good for business continuity if your laptop gets nicked if nothing else).

Use a strong and unique password to lock the keyring and ideally disconnect from the internet when signing (although the first two steps should largely mitigate key exfiltration)

Rotating fairly regularly and generating revocation certificates is also a good plan.

[pierreozoux]

Thanks @benwerd https://github.com/indiehosters/known/commit/28f572462ba62558469cb14c62fe8f46d3d52233

So I still need 1 thing to PR the official docker repo:

• [x] a repo idno/docker-known with rigth access

Danke!

[benwerd]

@pierreozoux https://github.com/idno/Known-Docker/ is ready to go!

[pierreozoux]

All right! Let's close this one in favor of https://github.com/idno/Known-Docker/issues/1