You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2020/02/03 21:57:37 UTC

[GitHub] [guacamole-client] manolan1 commented on issue #469: GUACAMOLE-890: Security: Allow image to run as non-root user

manolan1 commented on issue #469: GUACAMOLE-890: Security: Allow image to run as non-root user
URL: https://github.com/apache/guacamole-client/pull/469#issuecomment-581638438
 
 
   You all seem to have missed the point! ;)
   
   Regardless of this change, we should be switching to the jdk8 suffix. It is
   not a question of size, it is a question of support. I don't see that there
   is an option.
   
   The jre8 suffix is NOT an officially supported tomcat container. See here
   for supported tags: https://hub.docker.com/_/tomcat?tab=description or
   https://github.com/docker-library/official-images/blob/master/library/tomcat
   
   The jre8 tag *is* available. It was last updated 8 months ago vs 23 Dec for
   the jdk8 image. Unsurprisingly, the jre8 image is not part of the tomcat
   docker build process, as you can see from any recent build reports.
   
   Here is the pull request for that change (
   https://github.com/docker-library/tomcat/pull/158). I am sure the
   requirement for the jdk does not affect us, but I really think we should be
   using a supported image and all jre images have been removed.
   
   M.
   .
   
   
   
   On Sun, 2 Feb 2020 at 21:39, Virtually Nick <no...@github.com>
   wrote:
   
   > *@necouchman* commented on this pull request.
   > ------------------------------
   >
   > In Dockerfile
   > <https://github.com/apache/guacamole-client/pull/469#discussion_r373877390>
   > :
   >
   > > @@ -25,7 +25,7 @@
   >  # such as `--build-arg TOMCAT_JRE=jre8-alpine`
   >  #
   >  ARG TOMCAT_VERSION=8.5
   > -ARG TOMCAT_JRE=jre8
   > +ARG TOMCAT_JRE=jdk8
   >
   > I also don't think a world-writable directory is the right way to go - the
   > directory should have the correct ownership and permissions, not just the
   > ones that work because we've blown everything open. If we're trying to
   > improve security with this issue, making something world-writable seems
   > contradictory to that effort.
   >
   > —
   > You are receiving this because you were mentioned.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/guacamole-client/pull/469?email_source=notifications&email_token=AB4VJ5A47ODT7FRLO3QA7RLRA44S3A5CNFSM4KNTHIJ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCT5KAZA#discussion_r373877390>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AB4VJ5E5ESVYKNI3POI6ZI3RA44S3ANCNFSM4KNTHIJQ>
   > .
   >
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services