manolan1 commented on issue #469: GUACAMOLE-890: Security: Allow image to run as non-root user URL: https://github.com/apache/guacamole-client/pull/469#issuecomment-581638438 You all seem to have missed the point! ;) Regardless of this change, we should be switching to the jdk8 suffix. It is not a question of size, it is a question of support. I don't see that there is an option. The jre8 suffix is NOT an officially supported tomcat container. See here for supported tags: https://hub.docker.com/_/tomcat?tab=description or https://github.com/docker-library/official-images/blob/master/library/tomcat The jre8 tag *is* available. It was last updated 8 months ago vs 23 Dec for the jdk8 image. Unsurprisingly, the jre8 image is not part of the tomcat docker build process, as you can see from any recent build reports. Here is the pull request for that change ( https://github.com/docker-library/tomcat/pull/158). I am sure the requirement for the jdk does not affect us, but I really think we should be using a supported image and all jre images have been removed. M. . On Sun, 2 Feb 2020 at 21:39, Virtually Nick <[email protected]> wrote: > *@necouchman* commented on this pull request. > ------------------------------ > > In Dockerfile > <https://github.com/apache/guacamole-client/pull/469#discussion_r373877390> > : > > > @@ -25,7 +25,7 @@ > # such as `--build-arg TOMCAT_JRE=jre8-alpine` > # > ARG TOMCAT_VERSION=8.5 > -ARG TOMCAT_JRE=jre8 > +ARG TOMCAT_JRE=jdk8 > > I also don't think a world-writable directory is the right way to go - the > directory should have the correct ownership and permissions, not just the > ones that work because we've blown everything open. If we're trying to > improve security with this issue, making something world-writable seems > contradictory to that effort. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/apache/guacamole-client/pull/469?email_source=notifications&email_token=AB4VJ5A47ODT7FRLO3QA7RLRA44S3A5CNFSM4KNTHIJ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCT5KAZA#discussion_r373877390>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AB4VJ5E5ESVYKNI3POI6ZI3RA44S3ANCNFSM4KNTHIJQ> > . >
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
