Re: [Tails-dev] Tails Server docker support

Delete this message

Reply to this message
Author: segfault
Date:  
To: forgottenbeast, tails-dev
Subject: Re: [Tails-dev] Tails Server docker support
forgottenbeast:
>
>> 1. The size of the docker images. The debian base image is > 100MB.
>> Downloading this would increase both the service installation time and
>> the requirements on the system's RAM.
>
> This problem can easily be circumvented by using alpine based images:
> the alpine base image itself is around 4mb and many packages already
> exist for alpine based systems for this reason.


Ok, that's good to know. I was indeed able to find alpine-based docker
images for the use cases that are already implemented in Tails Server.

> For those that do not exist I agree that the whole repackaging process
> could be a pain AND involve a security risk (one would need to be able
> to audit the whole process and ascertain that the repackaged application
> has not been modified in any way)


Agreed.

>> 2. The lack of trustworthy sources. For many services there are "public"
>> images available, which, IIUC, can be created and maintained by anyone.
>
> https://docs.docker.com/engine/security/trust/content_trust/#content-trust-operations-and-keys
> outlines the way the docker developers envisioned their image trust model.


So this allows verification of the image publisher, but my problem is
that I don't trust the image publishers.

> Since docker images uses a pretty standard key hierarchy scheme (offline
> root key and repository tagging keys to sign tags) it shouldn't be hard
> to verify the signatures of every image that is downloaded and only run
> those that have a verifiable chain of trust.
>
> I can see two ways to do this:
>
> 1. Trust everyone that sign and warn the user every time the certificate
> chain does not have a Tails signing key in it. Double warning (or demand
> a specific manipulation a la persistent packages) to run an unsigned image.>
> 2. Set up a linux tails registry containing audited and signed base
> images to build from as well as pre-built, audited and signed service
> images.


Both of these options would require us to create and maintain docker
images ourselves, which I don't want to do, because it is too much work.
So I prefer using the Debian packages instead.

Cheers