Hi, a voice against changing the status quo here.
From a security perspective, having an implicitly setup registry can lead to supply chain attacks. Example: we have our own company set-up registry where we are mirroring official image names and tags after setting up some extra changes (e.g. additional CA certificates for TLS substitution). If you allow automatically pulling from docker.io, and a user does by mistake "docker run unqualified:latest", then they get the wrong version which means using unsafe containers (we have our own security scanner, the one from docker.io is not strong enough). It's better for us that they get an error and that they need to manually specify the registry to make their intent clear (we don't want to forbid pulling from docker.io, there are good use cases for that, especially to build the initial images inside our own private registry). Also, if you are not on a tty (e.g. in a Gitlab runner), of course you won't be asked from where to pull from, the default will simply be taken. So please don't change the current behavior unless you have a strong reason to. Users that want to allow pulling from docker.io by default can do it via a trivial config file whose syntax is well documented. The podman pull official man page says it better than me: When users specify images that do not include the container registry where the image is stored, this is called a short name. The use of unqualified-search registries entails an ambiguity as it is unclear from which registry a given image, referenced by a short name, may be pulled from. Using short names is subject to the risk of hitting squatted registry namespaces. If the unqualified-search registries are set to ["public-registry.com", "my-private-registry.com"] an attacker may take over a namespace of public-registry.com such that an image may be pulled from public-registry.com instead of the intended source my-private-registry.com. > It seems however that upstream is (I have not verified that - I'm > infering that from looking at an example [1]). No, upstream does not do it by default. This for me is one case where if you want convenience and is fine in your context, you can just set it up on your own, much like bash aliases are also easy to setup for your use case. Cheers, Matteo On Tue, 27 Sep 2022 14:31:31 +0200 Laurent Bigonville <bi...@debian.org> wrote: > Hello, > > Sorry for coming back to the topic here, but I (still) personally think > that defining "unqualified-search-registries" with sensible default > (dockerhub and quay.io?) is a better solution. > > For what I understand, the two arguments here against are 1) it's not > up-to debian to choose the registries for the users 2) there are > security concerns about using random images. > > IMVHO, it's still the role of a distribution to provide sensible > defaults to their users (lot/all packages are already doing so today in > the distribution). The fact that the package is adding that > shortnames.conf file (with a selected subset of images) is actually > forcing our users to use images (and not just repositories). > > With unqualified-search-registries set, podman WILL ask the user from > where they want to pull the image from (currently nothing is asked), > this would actually allow the user to have MORE control and clarity over > the repository they uses. > > I also not sure what would happen if the package maintainer would change > the content of that file to point to an other repository (let's say > because of a dispute), the user would start pulling an image they are > not expecting? With setting "unqualified-search-registries", the choice > of the user is preserved. > > To that, I would also add that, AFAICS, debian is breaking expectation > for users coming from other distributions here. > > So would it be possible to reconsider the solution here? > > Kind regards, > > Laurent Bigonville > > > -- Matteo Settenvini Head of Architecture Ebee Smart Technologies GmbH Torgauer Str. 12-15 (Haus 4) 10829 Berlin Phone: +49 160 93473984 Mail: matteo.settenv...@ebee.de https://ebee.de Sitz der Gesellschaft: Berlin, Amtsgericht Charlottenburg, HRB 135647B, Geschäftsführer: Robert Weyrauch, Andreas Maurer
