Open symgryph opened 4 years ago
I will be happy to help in any way that I can. This project is a great alternative to the horrible zoom privacy invading monster!
There is also a nice utility, called 'docker-slim' which will remove unnecessary kruft from images, making them WAY smaller and less likely to have security issues. I could help with that too if there is interest. Its positively amazing that this think works with as little work as I put into it! docker-compose up -d with a few tweaks and excellent directions. I especially like the auto make certs work thing with lets-encrypt.
Thank you so the kind words and the analysis!
Coincidentally, the etherpad container is the only one we didn’t build so it doesn’t share our base. Our base uses debian-slim as a starting point and updates all dependencies on every build. We should probably have our own etherpad image for consistency and in order to be able to guarantee the same level of security updates.
I’d suggest you also report these to the Etherpad project, since are currently using their image.
Thanks por the tip on the slim tool, I’ll give it a try!
I would prefer to use the official etherpad image because if you really need a change of the official repository you have the jitsi image as a dependency and have to wait until jitsi will update the image. So it will add an additional dependency to the deployments.
It think this has to be fixed in the official image. The best approach would be to just inform them about these problems so that it will be fixed for as many users as possible.
@saghul The jitsi/etherpad
image also seems to be really outdated. Etherpad is using debian 10 since 5 month maybe it's outdated on the machine you are building the images on?
It was pulled directly from the sources that evening. Aka it pulled the image from the docker-compose config.
Thomas J Munn
On Mar 29, 2020, at 08:27, Paul Tiedtke notifications@github.com wrote:
@saghul The jitsi/etherpad image also seems to be really outdated. Etherpad is using debian 10 since 5 month maybe it's outdated on the machine you are building the images on?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
@symgryph I'm not talking about that the jitsi/etherpad
is outdated on your machine but I'm thinking that the base image etherpad/etherpad
is outdated on the machine @saghul is building the images on.
This means that jitsi/etherpad
is based on an older version of etherpad/etherpad
which includes more vulnerabilities.
Aha! That would explain indeed! My bad. I'll make sure I update. It's probably high time I do some release.sh script too...
LOVE the service you people are doing, but there are several critical vulnerabilities as run by Trivy. I am attaching them. Need help in building alpine versions? Or 'more secure' debian stuff? I could help. Would love to get it working with docker ns remaps too!
Most of the images seem good in that they don't sem to have unfixed, or high criticals etc. The only image with issues is the etherpad one.