This is an automated archive made by the Lemmit Bot.
The original was posted on /r/unraid by /u/StabilityFetish on 2023-09-23 17:40:07.
I’ve looked for a while and never been able to find a clear answer on the docker app supply chain, so to speak. Sometimes you’ve got full first party software, like Plex who maintains their own unraid community app and it pulls from an official plex repo on dockerhub. Other times you’ve got full 3rd party like linuxserver maintaining their own sonarr app which pulls from their own linuxserver repo on dockerhub. But most lot of the time, there seems to be this hybrid where you find apps maintained by unknown internet users, but the docker repo it points to is the proper official dockerhub repo.
So my question is, what is the role of the maintainer? Does them being a rando anon internet person present risk?
- Can the maintainer inject malware into or on top of a legitimate docker image?
- Can they change the docker repository that their app is pointed at to a malicious one?
- When my dockers have updates, are those from the dockerhub repo or the maintainer?
- If a maintainer goes MIA, would updates to that docker on unraid stop?
My best understanding is that they only maintain the unraid settings, like what you would configure if you used Add Container manually (repo, ports, paths, etc).
Community apps seems to highlight certain apps or dockers as official, starred, or similar tags, but I can’t find information about what that technically means or the vetting process.