Page MenuHomePhabricator
Create Task
Maniphest T289596

Consider adding `--no-install-recommends` to generated `apt-get install ...` commands
Closed, DeclinedPublic
Actions

Description

Flagged a https://semgrep.dev/ run against Blubber generated Dockerfiles used by Toolhub.

severity:info rule:security.semgrep-rules.generic.dockerfile.best-practice.missing-no-install-recommends: This 'apt-get install' is missing '--no-install-recommends'. This prevents unnecessary packages from being installed, thereby reducing image size. Add '--no-install-recommends'.

Adding this flag could reduce container size, but may also break new container builds for some project which are relying on recommended packages for needed functionality. A safer way to introduce this would be as an opt-in flag in the Blubber config (apt.install_recommends?), possibly with a timeline for phasing out the flag and making this default behavior.

Related Objects

Event Timeline

bd808 created this task.Aug 24 2021, 4:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2021, 4:39 PM
Legoktm subscribed.Aug 24 2021, 4:43 PM

Our containers already disable installing recommended packages via apt configuration:

km@cashew ~/g/o/puppet> podman run --rm -it docker-registry.wikimedia.org/bullseye:latest
root@717147d95234:/# cat /etc/apt/apt.conf.d/00InstallRecommends 
APT::Install-Recommends "false";

I don't know whether it would be worth adding in this flag to satisfy the linter.

bd808 closed this task as Declined.Aug 24 2021, 4:59 PM

As noted by @Legoktm, this is handled by global config for apt that is baked into our base images. This makes potentially makes Blubber a bit less reusable with arbitrary base images, but as long as it is a Wikimedia specific tool this is fine.

bd808 mentioned this in T273020: Security Readiness Review For Toolhub.Aug 24 2021, 5:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits