Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: Pin docker images with SHA instead of tag. #2735

Merged
merged 1 commit into from
Sep 14, 2021
Merged

build: Pin docker images with SHA instead of tag. #2735

merged 1 commit into from
Sep 14, 2021

Conversation

naveensrinivasan
Copy link
Contributor

@naveensrinivasan naveensrinivasan commented Sep 6, 2021
edited by davecgh
Loading

davecgh
davecgh requested changes Sep 6, 2021
View reviewed changes
Copy link
Member

@davecgh davecgh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. I commented inline, but these hashes don't match the official images for me.

Dockerfile Show resolved Hide resolved
Dockerfile.alpine Show resolved Hide resolved
@davecgh davecgh changed the title Pinned docker images based SHA instead of tag build: Pin docker images with SHA instead of tag. Sep 6, 2021
davecgh
davecgh reviewed Sep 7, 2021
View reviewed changes
Copy link
Member

@davecgh davecgh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed hashes.

Please use rebase to squash the two commits into a single commit and make the title match the one in the PR per the code contribution guidelines for commit messages.

As a bit of an aside, I am aware using hashes is generally the recommendation and therefore I'm fine with accepting this, but honestly, I'm not really convinced it's all that great of a recommendation in general.

I completely understand the potential security issue, since the tag could be changed, but it comes at the expense of being limited to a single architecture per Dockerfile (amd64 in this case) and is also potentially worse for security in the sense it means you are no longer getting the latest versions with security patches applied unless you happen to notice and/or go check every day for updates manually.

So, which one is actually a bigger threat though? Dockerhub being compromised and having an image changed right before someone pulls or almost positively running out of date software that likely has security vulnerabilities in it?

This, among several other reasons, are a big part of why I never use docker personally.

@naveensrinivasan
Copy link
Contributor Author

Confirmed hashes.

Please use rebase to squash the two commits into a single commit and make the title match the one in the PR per the code contribution guidelines for commit messages.

I will squash the commits.

As a bit of an aside, I am aware using hashes is generally the recommendation and therefore I'm fine with accepting this, but honestly, I'm not really convinced it's all that great of a recommendation in general.

I completely understand the potential security issue, since the tag could be changed, but it comes at the expense of being limited to a single architecture per Dockerfile (amd64 in this case) and is also potentially worse for security in the sense it means you are no longer getting the latest versions with security patches applied unless you happen to notice and/or go check every day for updates manually.

The upgrades of these shouldn't be an issue if https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates is enabled in the repository.

Dependabot is aware of these hashes and would upgrade to the latest version of the hash.

This is a practice for avoiding supply chain attacks. Supply chain attacks are the low hanging fruits when compromised can have a large impact.

On a different note why not enable dependabot for getting security updates?

So, which one is actually a bigger threat though? Dockerhub being compromised and having an image changed right before someone pulls or almost positively running out of date software that likely has security vulnerabilities in it?

This, among several other reasons, are a big part of why I never use docker personally.

@davecgh
Copy link
Member

davecgh commented Sep 7, 2021
edited
Loading

Dependabot is aware of these hashes and would upgrade to the latest version of the hash.

Good to know, I wasn't aware it worked with Docker images. I thought it was aimed more at node.js since that is where I have seen all of the notifications from other repos.

On a different note why not enable dependabot for getting security updates?

Some of the repositories that are less critical have it enabled. For dcrd though, our security policy is that every dependency update for the main process (I plan to move Docker stuff to the contrib folder in the future because it falls outside of that) must be manually reviewed. That includes all of the commits in the dependency and any of its dependencies, etc. Letting 3rd-party applications, such as dependabot, make changes to the code automatically is a no go since that would make all code in the repository vulnerable if that 3rd-party application were to be compromised.

That said, I think it's possible to enable it without giving permission to change code so it can notify, but not automatically update. That would be worth doing and is a good suggestion.

EDIT: Actually I see dependabot alerts are already enabled for the repo.

@naveensrinivasan
Copy link
Contributor Author

Dependabot is aware of these hashes and would upgrade to the latest version of the hash.

Good to know, I wasn't aware it worked with Docker images. I thought it was aimed more at node.js since that is where I have seen all of the notifications from other repos.

On a different note why not enable dependabot for getting security updates?

Some of the repositories that are less critical have it enabled. For dcrd though, our security policy is that every dependency update for the main process (I plan to move Docker stuff to the contrib folder in the future because it falls outside of that) must be manually reviewed. Letting 3rd-party applications, such as dependabot, make changes to the code automatically is a no go since that would make all code in the repository vulnerable if that 3rd-party application were to be compromised.

That said, I think it's possible to enable it without giving permission to change code so it can notify, but not automatically update. That would be worth doing and is a good suggestion.

Dependabot opens a PR and it gives an option to verify changes. Also, dependabot notifies on security vulnerability only to repo owners.

@naveensrinivasan
Pinned docker images based SHA instead of tag
e7ac35b 
* Pinned the docker images to be based on SHA instead of tags.
* https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
* Tags can be moved which poses a security risk.

Included comments with the actual image name.
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/fix-docker-sha branch from cf9117c to e7ac35b Compare September 13, 2021 20:07
@naveensrinivasan
Copy link
Contributor Author

Squashed my commits into a single commit.

@davecgh davecgh merged commit 061b10b into decred:master Sep 14, 2021
@davecgh davecgh added this to the 1.7.0 milestone Sep 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoeGruffins JoeGruffins JoeGruffins approved these changes

@davecgh davecgh davecgh approved these changes

@dnldd dnldd dnldd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.
4 participants
@naveensrinivasan @davecgh @dnldd @JoeGruffins