[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The spiped Docker image



Vijay,

Am 09.04.20 um 21:38 schrieb Vijay Kumar via spiped:
> Is the https://hub.docker.com/_/spiped   ; a legitimate Docker image of this spiped project?I didn't see any mention of this Docker image on the https://www.tarsnap.com/index.html    ; website. 
> 

I am the maintainer of that Docker Image (and also other official Docker
Images). Colin is not directly involved within the creation of the
Docker Image, but he acknowledged the inclusion of the spiped Image
within the Docker Official Images program back when I proposed it:

https://github.com/docker-library/official-images/pull/1714#issuecomment-219556607

The Docker Image you linked being a Docker Official Image means that the
following security implications apply:

- You must trust Docker Hub to not be compromised / serve you an
unmodified Docker Image.
- You must trust the maintainers of the Docker Official Image program to
upload a Docker Image matching the Dockerfile referenced by the manifest
within the docker-library/official-images repository:
https://github.com/docker-library/official-images/blob/master/library/spiped

This is true for every Docker Image within the Docker Official Images
program.

You do not need to trust me, because you can verify the the contents of
the Dockerfile using the commits referenced in the manifest.

Best regards
Tim Düsterhus