Richard Bucker

Docker registry; is it safe?

Posted at — Jul 18, 2015

I make the assertion that Docker’s public registry is not safe and I offer “nijtmans” as an example. I was looking to deploy fossil in a docker container but I was too lazy to build my own “scratch” container from scratch. Since I had just installed bosun and grafana from their “trusted” images I felt good about looking for a fossil version. Sorry, FAIL.A docker registry search for “fossil” yielded some 5 images.The first image was 8 months old and makes the claim that it was forked from nijtmansI noticed that nijtmans is not trusted with the docker regitry (no badge)The former image included it’s Dockerfile so I could fork it if I wantedThe later, niftmans, did not offer any good documentation and it was missing the DockerfileI decided to try to track the project down and looked for the author on github; sadly he only had the one projectwhen I looked in his repo I could not locate the Dockerfile and the README was unflatteringI do not know anything about this guy. I have no idea what his motives are or what the source looks like. I appreciate that he has shared, but when it comes to putting something in my server it has to have something, anything.From this vantage point nijtmans and his project are suspicious.