Vendoring of IB Gateway

[fujiapple852]

@mfrener thank you for this Dockerized IB Gateway, it looks really good!

One thing I observed when reviewing it is that the Dockerfile pulls in a copy of the IB Gateway software from a file in the releases directory rather than the official IB software.

I imagine this is likely to avoid breakages as and when IB update the version stable points at? Whilst that makes sense (if IB do not provide permalinks to specific version) it looks rather suspicious when reviewing the code as the target file is not under revision control and so could change at any time.

Whilst not ideal for a large binary, perhaps it would be better to vendor the software in the git repo?

Another option may be to target a channel (ie. stable / latest) rather than a specific version and then pull it directly from the official IB website?

[mfrener]

The reason to move away from downloading the IB Gateway from their website directly (I did that on old version) is lack of versioning. There is only stabe / latest version on their page, but they do not allow to access a specific version. Means: you never know what you build. What happen pretty often with old approach is that docker images suddenly stopped working after a re-build, because something in IB Gateway changes. The issue that actually cause me to create this new "hard versioned" image, was a "Bid/Ask size changed" warning some weeks ago that cause market data stop working (https://github.com/IbcAlpha/IBC/issues/134). I wanted to make it possible to re-build one specific version later on and not always depend on paying the "what do I get today? does it still work?" lottery

Whilst not ideal for a large binary, perhaps it would be better to vendor the software in the git repo?

Can't do it on git repo directly as github has restrictions on binary file size,. Tried git LFS already, but only 1GB of traffic is free than you need to upgrade (limit was reaches within 30min after putting it live). Attaching it to releases on the seems to be preferred approach on github for "upload-once" binary files that are related to a specific release - so I did that.

I have added a new "IB Gateway installation files" section to readme explaining why the Gateway installer files are there and how you can change it if you don't trust ;) https://github.com/waytrade/ib-gateway-docker#ib-gateway-installation-files

[fujiapple852]

It sounds like you've already given this a lot of thought! The readme change helps, thanks. One other idea was adding a checksum validation to the downloaded version to tie it into a known version in the repo. See PR https://github.com/waytrade/ib-gateway-docker/pull/2

[mfrener]

Merged your change and will add checksums for any new version releases, so there is a verification between what repo refers and the actually downloaded file. Still doesn't safe you from me, uploading a hacked Gateway version and put the wrong sha to repo (until you cross-check version with IB homepage), thou :P For paper-account / quick testing, you can simply pull https://hub.docker.com/r/waytrade/ib-gateway But my recommendation for live-account usage, is to clone this repo and build the image on your own, maybe even IBC if you are really paranoid, including a review of what you add. So you have full control on the "non-IB" code paths that process your credentials. Really surprised there are people like you actually doing this - rule 1: never trust any 3rd party on handling your credentials (this includes me and my code). Safest way is to review the code and build it on your own before you use it with a live account. @fujiapple852 👍

So closed this. Dockerfile will continue to reference into releases of this project, so it's easy to re-build a specific version, while having a note about it on readme. If you plan to use this with a live account and want to be on save side, fork (or make sure the checksums or repo align with the ones from the official version) and build on your own to make sure you don't pull a hacked image dockerhub.

Would love IB to add proper OAuth + encryption to IB Gateway client-side, this "user must enter username/password and than it opens a port, free4all" is ridiculous..