[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tails-dev
Subject:    Re: [Tails-dev] Tails Server docker support
From:       segfault <segfault () riseup ! net>
Date:       2017-12-12 8:59:11
Message-ID: 05c23685-e3d7-e51e-1332-07cc004dd63e () riseup ! net
[Download RAW message or body]

forgottenbeast:
> 
>> 1. The size of the docker images. The debian base image is > 100MB.
>> Downloading this would increase both the service installation time and
>> the requirements on the system's RAM.
> 
> This problem can easily be circumvented by using alpine based images:
> the alpine base image itself is around 4mb and many packages already
> exist for alpine based systems for this reason.

Ok, that's good to know. I was indeed able to find alpine-based docker
images for the use cases that are already implemented in Tails Server.

> For those that do not exist I agree that the whole repackaging process
> could be a pain AND involve a security risk (one would need to be able
> to audit the whole process and ascertain that the repackaged application
> has not been modified in any way)

Agreed.

>> 2. The lack of trustworthy sources. For many services there are "public"
>> images available, which, IIUC, can be created and maintained by anyone.
> 
> https://docs.docker.com/engine/security/trust/content_trust/#content-trust-operations-and-keys
> outlines the way the docker developers envisioned their image trust model.

So this allows verification of the image publisher, but my problem is
that I don't trust the image publishers.

> Since docker images uses a pretty standard key hierarchy scheme (offline
> root key and repository tagging keys to sign tags) it shouldn't be hard
> to verify the signatures of every image that is downloaded and only run
> those that have a verifiable chain of trust.
> 
> I can see two ways to do this:
> 
> 1. Trust everyone that sign and warn the user every time the certificate
> chain does not have a Tails signing key in it. Double warning (or demand
> a specific manipulation a la persistent packages) to run an unsigned image.>
> 2. Set up a linux tails registry containing audited and signed base
> images to build from as well as pre-built, audited and signed service
> images.

Both of these options would require us to create and maintain docker
images ourselves, which I don't want to do, because it is too much work.
So I prefer using the Debian packages instead.

Cheers

_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@boum.org.
[prev in list] [next in list] [prev in thread] [next in thread]