Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-evaluate container dependencies to mitigate potential CVEs #232

Closed
deeplow opened this issue Oct 19, 2022 · 2 comments
Closed

Re-evaluate container dependencies to mitigate potential CVEs #232

deeplow opened this issue Oct 19, 2022 · 2 comments
Labels
security
Milestone
0.4.2

Comments

@deeplow
Copy link
Contributor

deeplow commented Oct 19, 2022
edited
Loading

We can improve the security on the same level as #222 by reducing the software we ship in the container and replace vulerability-prone software.

This includes a re-evaluation of the software in container/dangerzone.py and container/Dockerfile.

Notable examples are:

  • removing sudo dependency
  • GraphicsMagick - used in the first (more exposed container) as well as in the second one. The Qubes
  • Libreoffice - perhaps shipping a headless / more stripped down version
  • supply chain security: making sure we only download packages from verified sources (in particular PDFtk)
This was referenced Oct 19, 2022
Open
Closed
@apyrgio apyrgio changed the title Re-evaluate container dependencies mitigate potential CVEs Re-evaluate container dependencies to mitigate potential CVEs Oct 20, 2022
@apyrgio
Copy link
Contributor

apyrgio commented Oct 20, 2022

I'd add removing sudo in the above list. Other than that, I fully agree.

@apyrgio apyrgio added this to the 0.4.0 milestone Oct 26, 2022
@eloquence eloquence modified the milestones: 0.4.0, 0.5.0 Nov 9, 2022
@deeplow
Copy link
Contributor Author

deeplow commented Jan 9, 2023

Removing openjdk-8 dependecy

default-jre and java dependencies dependencies had been added initially because of libreoffice-java-common, which is no longer present.

Then, when the image was changed from ubuntu to alpine, default-jre was replaced with openjdk-8.

If java is still a dependency for libreoffice, then it should be pulled automatically. There should be no need to state it explicitly. And tests pass.

deeplow added a commit that referenced this issue Jan 10, 2023
@deeplow
Remove sudo: no longer needed
fbfe508 
Fixes #232
@deeplow deeplow mentioned this issue Jan 10, 2023
Merged
@apyrgio apyrgio modified the milestones: 0.5.0, 0.4.2 Aug 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
0.4.2
Development

No branches or pull requests
3 participants
@eloquence @apyrgio @deeplow