
Show HN: Small, secure Nginx Docker image - ricardbejarano
https://github.com/ricardbejarano/nginx
======
theamk
The big question about using those Docker containers is security.

Based on past CVE history for nginx, there might be another CVE in 1-2 years.
Will this git repo still be updated then? Will the user remember to pull
latest version and regenerate latest image?

Official "nginx:alpine" image maintained by nginx team is 17MB. If you can,
you should always use it. And you should subscribe to some sort of mailing
list so you know when it is time to upgrade all of your servers.

(An alternative is to skip docker and use good old Ubuntu LTS with automatic
updates; this will guarantee timely and fully automatic security updates for
the next few years. The downside is that if the system will have an exploit,
the attacker will often find it much easier to stay in the system and move to
other parts of the network)

~~~
gbraad
Agree, security here is a bold claim. Size does not imply security.
Traceability, reproducibility, maintenance/rate of release, etc are... I'd
rather use official images as they are maintained and reported against (or
reported to the maintainer) when issues are found.

~~~
ricardbejarano
OP and maintainer of the image here.

I understand your concerns. I would have them too.

To be fair, I tried pushing these changes to the official NGINX image, but
they weren't accepted because I'm using a multi-stage build, which are not
allowed to official images for a series of reasons. I mostly disagree with
those reasons, but I don't own the Docker Hub. Here's the PR:
[https://github.com/nginxinc/docker-
nginx/pull/310](https://github.com/nginxinc/docker-nginx/pull/310)

As for traceability, we've had some discussion over at Lobsters about that. I
believe you can do it from outside the container, and avoid bloat that will
only get used in 1% of the cases.

About reproducibility, my CI process for this image uses GitHub and the Docker
Hub, I don't build and push the images myself (which I consider a very big red
flag in A LOT of images, even official ones), so it must be reproducible as
the Docker Hub must be able to build it.

I've responded to another user about maintenance. TL;DR is: I use it, so I
must keep it up-to-date, usually in less than 24h of the release of a new
patch. If for whatever reason I stop using it, upgrading is just changing two
lines in the Dockerfiles, so it's not tiring. But if for whatever reason I
can't maintain it anymore... This is an inherent problem of volunteer
maintained open source software.

I might have convinced you, or not. Again, I'd have the same concerns as you
do, it's fair.

------
ggm
If predictable build compilations were published by source owners and some
wider review (like CT) the build could test if the specific code used matched
externally provided sigs

