Hacker News new | ask | show | jobs
by glckr 2543 days ago
Tip #6 (Use official images when possible) is certainly convenient when you're just spinning up something (I use them in local docker-composes all the time), but it's surely opening yet another security hole when it comes to prod. We're not lacking examples where packages are hijacked (feels like it happens constantly on npm, rubygems had it just the other day...), and docker hub has already had one security breach.

Perhaps worth a mention in this blogpost?
1 comments
sudhirj 2543 days ago
You can use the official images and tag them with the SHA image ID - that should give cryptographically enforced security and reproducibility.
link
zoobab 2543 days ago
Actually, if you use the SHA256 of the image as a reference for the FROM (ex: tomcat@sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f), and if there is no tag associated to that SHA, there is a chance that the Docker Registry will garbage clean it. The Docker Inc garbage cleaning frequency is not very documented.
link
manishyt 2542 days ago
Hello, I am one of the engineers on Docker Hub. If the image was ever pushed via a tag which must be the case if it was done via docker CLI then that image is never deleted (unless the tag is deleted from Hub UI and no other tag refer to it). This means if sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f was referred by latest tag which was pushed to another image sometime later then `FROM tomcat@sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f` will continue to work. Apologies for not having this documented. I'll work on getting this documented on https://docs.docker.com/docker-hub/.
link
rickycook 2542 days ago
there is no other behaviour that you’d want for that situation though... garbage collection is necessary, and if your cryptographically pinned content is deleted, you want something to fail rather than change to different content
link
akanet 2543 days ago
This counts for absurdly little in the Docker ecosystem
link
sudhirj 2543 days ago
Huh? Why wouldn’t it protect you from malicious modifications to the image in the future? Past mods might be a problem, but these are the official images we’re talking about.
link
ses1984 2543 days ago
Can you explain?
link