Add a disclaimer/caveat to the ReadMe

Question

Add a disclaimer/caveat to the ReadMe

atom-box opened this issue 8 months ago · 5 comments

Based on emails we get, folks treat this repo with a lot of trust -- more than we intend.
We should consider adding a stronger disclaimer, preferably on the readme page.

Answer 1 · 2023-11-02T20:49:27.000Z

It would be great if we added the following. This is a saved reply we have sent before from the Support email team:

Please note that the Matomo docker images do not form part of our automated security assessments and vulnerability scans. We only do this for the Matomo codebase itself.

If you need to fix this in order to deploy the container to your network, then there are a few options available to you:

Build your own docker image to be used for your Matomo deployment. For our security-focused users, this is going to be the best method available as it ensures you have complete and full control of all dependencies and packages installed in the container itself or

Update the vulnerable packages in the docker image and save the patched image as your base image for deployment. This is likely the easiest solution if you don't want to go through the process of building your own docker image from scratch. The process of updating packages and committing the changes to the base image is out of the scope of our support, but there are several guides online that you can use to make the necessary changes to your docker image.

Answer 2 · 2023-11-07T16:45:40.000Z

Ugh. Given the mishaps in getting the container up for a quick assessment/demo + this issue informing me of "complete and full control of all dependencies and packages..." leads to my confidence in this project quickly waning.

We expect project owners to not only offer containers, but also ensure integrity with their container offerings. My team is focused on delivering results rather than goose chase finger traps. No container or neglected container is so last century.

We may revisit sometime next year.

Answer 3 · 2023-11-07T21:44:14.000Z

@ezekieldas thank you for your feedback. We will pass it onto the product team.

In the meantime, you can browse the free demo on https://demo.matomo.cloud/ or quickly establish a free trial with all the premium features via https://matomo.org and https://matomo.org/lets-get-started/.

Answer 4 · 2023-11-14T22:24:37.000Z

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

Answer 5 · 2023-11-30T14:52:19.000Z

We had another user today report that they use this matomo docker image "as is", without customizing it.