Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a disclaimer/caveat to the ReadMe #336

Open
atom-box opened this issue Nov 2, 2023 · 5 comments
Open

Add a disclaimer/caveat to the ReadMe #336

atom-box opened this issue Nov 2, 2023 · 5 comments

Comments

@atom-box
Copy link

atom-box commented Nov 2, 2023

Based on emails we get, folks treat this repo with a lot of trust -- more than we intend.
We should consider adding a stronger disclaimer, preferably on the readme page.
@atom-box
Copy link
Author

atom-box commented Nov 2, 2023
edited
Loading

It would be great if we added the following. This is a saved reply we have sent before from the Support email team:

Please note that the Matomo docker images do not form part of our automated security assessments and vulnerability scans. We only do this for the Matomo codebase itself.​​​​

If you need to fix this in order to deploy the container to your network, then there are a few options available to you:

  • Build your own docker image to be used for your Matomo deployment. For our security-focused users, this is going to be the best method available as it ensures you have complete and full control of all dependencies and packages installed in the container itself or
  • Update the vulnerable packages in the docker image and save the patched image as your base image for deployment. This is likely the easiest solution if you don't want to go through the process of building your own docker image from scratch. The process of updating packages and committing the changes to the base image is out of the scope of our support, but there are several guides online that you can use to make the necessary changes to your docker image.​​​

@ezekieldas
Copy link

Ugh. Given the mishaps in getting the container up for a quick assessment/demo + this issue informing me of "complete and full control of all dependencies and packages..." leads to my confidence in this project quickly waning.

We expect project owners to not only offer containers, but also ensure integrity with their container offerings. My team is focused on delivering results rather than goose chase finger traps. No container or neglected container is so last century.

We may revisit sometime next year.

@michalkleiner
Copy link
Contributor

@ezekieldas thank you for your feedback. We will pass it onto the product team.

In the meantime, you can browse the free demo on https://demo.matomo.cloud/ or quickly establish a free trial with all the premium features via https://matomo.org and https://matomo.org/lets-get-started/.

@J0WI
Copy link
Collaborator

J0WI commented Nov 14, 2023

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

@atom-box
Copy link
Author

We had another user today report that they use this matomo docker image "as is", without customizing it.

tsteur added a commit that referenced this issue Dec 5, 2023
@tsteur
Add Security file describing the bug bounty program
9d0c0d7 
refs #336
@tsteur tsteur mentioned this issue Dec 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@michalkleiner @ezekieldas @J0WI @atom-box