#38: Dopr
------------------------+---------------------
Reporter: msuchy | Owner:
Status: new | Priority: normal
Component: Trademarks | Resolution:
Keywords: meeting |
------------------------+---------------------
Comment (by spot):
Replying to [comment:5 vgologuz]:
> Please note, that dopr doesn't restrict Dockerfiles to use some
particular base image. The user could choose to use any other image from
dockerhub, like:
> {{{
> FROM centos:latest
> }}}
> Even if we limit base image to some small approved set, it doesn't
provide any security. The user could do anything in the later Dockerfile
commands. There is no difference between .spec and.Dockerfile or Copr
repository and dockerhub image repository.
I'm really concerned about this point. I suspect strongly that there are
dockerhub images that are very legally risky for us to be the distributor
of. A quick search of dockerhub brings up the nvidia driver, ffmpeg, just
to bring up two known items. Adding a layer of abstraction means this will
be very difficult for us to police in the same way that we do coprs today.
If we could restrict this to the known good and "official" docker images
(centos and fedora) combined with coprs, then that would resolve the legal
risk concern on my part. I still don't think that the resulting images
should be branded as Fedora, though, I don't see any real reason why the
service couldn't be a "Fedora provided service" (again, assuming that
we're only permitting centos/fedora base docker images).
--
Ticket URL: <https://fedorahosted.org/council/ticket/38#comment:8>
council <https://fedorahosted.org/council>
Fedora Council Public Tickets
_______________________________________________
council-discuss mailing list
council-discuss@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/council-discuss
