Security: Base containers use deprecated images, affects 100% of charts due to multi-init
disconn3ct opened this issue · 6 comments
App Name
truecharts/ubuntu:latest, multi-init
SCALE Version
Not using SCALE
App Version
latest
Application Events
https://github.com/k8s-at-home/container-images/blob/main/README.md#%EF%B8%8F-deprecation-and-archive-noticeApplication Logs
n/aApplication Configuration
n/a
Describe the bug
Multi-init is based off of a deprecated image.
To Reproduce
https://github.com/truecharts/containers/search?q=ghcr.io%2Ftruecharts%2Fubuntu
Expected Behavior
I expected to find supported, updated and safe containers used
Screenshots
.
Additional Context
.
I've read and agree with the following
- I've checked all open and closed issues and my issue is not there.
The containers are safe and kept up-to-date with upstream ubuntu.
The repo depreciation does not affect this at this time.
please dont run into assumptions next time and be sure to ask on the discord first when in doubt.
Also: please note multi init runs at most a few minutes and is only running internally.
"We only run the untrusted code briefly" is not a fix. Is that the official iXsystems position on deprecations?
@disconn3ct You've ignored half of my comment on this.
Again:
Up until today, the k8s-at-home ubuntu base is still getting automatic updates. We are closely monitoring the situation, but there is no "outdated" container being used here.
"We only run the untrusted code briefly" is not a fix. Is that the official iXsystems position on deprecations?
We're not related to iX-Systems in any way, shape or form.
So I cannot comment on what they think about this, nor do I really care.
Can you show me the recent updates? When I go to https://github.com/k8s-at-home/container-images/pkgs/container/ubuntu-jammy it shows "3 months ago".
Re iX-Systems, forgive my assumption. For what it is worth, the blog, especially the project intro, very much reads a lot like a truenas marketing announcement. I'll keep in mind that it is not.
Can I ask if truecharts official position on deprecated/insecure code is "it is fine if it doesn't run very often"?
Can you show me the recent updates? When I go to https://github.com/k8s-at-home/container-images/pkgs/container/ubuntu-jammy it shows "3 months ago".
Last manual update check was around 15-10, at which time august was the last available tag.
Re iX-Systems, forgive my assumption. For what it is worth, the blog, especially the project intro, very much reads a lot like a truenas marketing announcement. I'll keep in mind that it is not.
It's not the "project intro", it's just a blog post. An introductionairy one for sure, but not anything of general relevance to the project. The project intro is the home page and github readme.
As clearly stated back-in-the-day said blog was a joint promotional post between ourselves and iX Systems.
Can I ask if truecharts official position on deprecated/insecure code is "it is fine if it doesn't run very often"?
TLDR:
- We take security very serieusly and setup thorough processes to keep things updated where we can.
- When prioritising security issues, we keep exploitability in mind.
- If you have an actually exploitable CVE, the procedures to report such a thing are in the main repo.
In this case:
- The issue was tracked monthly (last checked around 15-10)
- It's been outdated since 20-10
- The attack surface is minimal
- The relevance of fixed CVE's is minimal.
- Hence priority is low.
- Please don't fearmonger calling just-missed updates security issues.
Generally we don't take general questions on Github.
If you want to discuss the project, please use the discord for discussions.