Hi,
a voice against changing the status quo here and this stays
"wontfix". I do NOT want to see this bug reopened :-).
From a security perspective, having an implicitly setup registry can
lead to supply chain attacks.
Example: we have our own company set-up registry where we are mirroring
official image names and tags after setting up some extra changes (e.g.
additional CA certificates for TLS substitution).
If you allow automatically pulling from docker.io, and a user does by
mistake "docker run unqualified:latest", then they get the wrong
version which means using unsafe containers (we have our own security
scanner, the one from docker.io is not strong enough). It's better for
us that they get an error and that they need to manually specify the
registry to make their intent clear (we don't want to forbid pulling
from docker.io, there are good use cases for that, especially to build
the initial images inside our own private registry).
Also, if you are not on a tty (e.g. in a Gitlab runner), of course you
won't be asked from where to pull from, the default will simply be
taken.
So please don't change the current behavior unless you have a strong
reason to. Users that want to allow pulling from docker.io by default
can do it via a trivial config file whose syntax is well documented.
The podman pull official man page says it better than me:
When users specify images that do not include the container
registry where the image is stored, this is called a short name.
The use of unqualified-search registries entails an ambiguity as
it is unclear from which registry a given image, referenced by a
short name, may be pulled from.
Using short names is subject to the risk of hitting squatted
registry namespaces. If the unqualified-search registries are set
to ["public-registry.com", "my-private-registry.com"] an attacker
may take over a namespace of public-registry.com such that an
image may be pulled from public-registry.com instead of the
intended source my-private-registry.com.
> It seems however that upstream is (I have not verified that - I'm
> infering that from looking at an example [1]).
No, upstream does not do it by default because it's considered a
security issue.
--
Matteo Settenvini
Head of Architecture
Bender Smart Charging GmbH
EUREF Campus, Haus 4-5
10829 Berlin
Phone: +49 160 93473984
Mail: matteo.settenv...@bender.de
https://bender.de
Sitz der Gesellschaft: Berlin, Amtsgericht Charlottenburg, HRB 135647B,
Geschäftsführer: Robert Weyrauch, Andreas Maurer
On Tue, 27 Sep 2022 14:31:31 +0200 Laurent Bigonville
<bi...@debian.org> wrote:
> Hello,
>
> Sorry for coming back to the topic here, but I (still) personally
think
> that defining "unqualified-search-registries" with sensible default
> (dockerhub and quay.io?) is a better solution.
>
> For what I understand, the two arguments here against are 1) it's not
> up-to debian to choose the registries for the users 2) there are
> security concerns about using random images.
>
