adutra opened a new issue, #537: URL: https://github.com/apache/polaris/issues/537
### Is your feature request related to a problem? Please describe. The Dockerfile that sits at the repository root is rather insecure, especially this directive: ```dockerfile COPY --chown=default:root . /app ``` With this directive it's a piece of cake to introduce a backdoor, build a hacked Polaris image, and distribute it. Moreover, I'm concerned that people would think that this is the "official" Dockerfile for Polaris and would use it to push Polaris into production – since it sits at the repository root. This Dockerfile is also referenced in the main `README.md`, which contributes a bit more to branding it as the "official" thing. ### Describe the solution you'd like I would like to suggest at least one of the following mitigation actions: 1. Clearly flag this Dockerfile for evaluation and/or testing purposes, e.g. by renaming it to `Dockerfile-dev`; 2. Better yet, move it to `dropwizard/service` to reduce its build context to just that module and also to reduce the risk of people using it in production. Moving that Dockerfile would require changing the build steps though, since it won't be possible to build the entire code base anymore inside the docker build. An alternative was suggested a while ago in https://github.com/apache/polaris/pull/268 – _I think we need to revive that PR_. In particular, I don't see a sensible difference between building the code in the docker build vs copying pre-built artifacts, neither in terms of build reproducibility nor in terms of security (both are equally insecure, in fact). ### Describe alternatives you've considered _No response_ ### Additional context Side note on the "official" Dockerfile: we don't have one yet, but ideally, that Dockerfile would check out a released tag and build it. Alternatively, it could download the released Maven artifacts from Maven Central. As a third option, it could copy the final artifacts from the local build directory – but that would only be safe if done in CI and triggered by a trusted user. In any case, I wouldn't recommend using the current strategy of building the local codebase inside the docker build as the strategy to use for future official Docker images. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
