Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dockerfile to pull from S3 endpoint in EU, not from servers in China #263

Open
oskapt opened this issue Sep 8, 2021 · 1 comment
Open

Update Dockerfile to pull from S3 endpoint in EU, not from servers in China #263

oskapt opened this issue Sep 8, 2021 · 1 comment

Comments

@oskapt
Copy link

oskapt commented Sep 8, 2021

The docs list an S3 endpoint for downloading the source, but the Dockerfile instead pulls from a server in China.

While both of these have the same MD5 signature today, content stored in China is subject to regulation and laws that easily open Seafile up to a supply chain attack for anyone using the Docker container image. It would be trivial to change the source of the version in China and have that shipped out across the world.

For a product that manages files and data for individuals and organizations, this would be a disaster.

Can the Dockerfile pull from the same endpoint as the docs? Extra credit if you publish the MD5 signature in the docs and validate it from a public HTTP endpoint (e.g. https://seafile.com/hash/8.0.7) during the Docker build.
@GogoFC
Copy link

GogoFC commented Jan 20, 2022

I'm pretty sure many of the developers live in China :) , no offence just a little fun. Seafile isn't Huawei :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oskapt @GogoFC