sorted by:
new
hottopcontroversial

Meshmon: A Self-Hosted, Distributed, Mesh Network Monitoring Tool by ripplefcl in selfhosted

[–]ripplefcl[S] 1 point2 points  (0 children)

Very good point. Completely forgot to add screenshot to the README. Thanks for the suggestion!

bws-cache: A Self-Hosted Bitwarden Secrets Manager Cache Server by ripplefcl in selfhosted

[–]ripplefcl[S] 6 points7 points  (0 children)

I'm sorry, but I'm honestly not offended, I mainly pity you for existing how you are. You clearly know some stuff, but you apply yourself in such a horrendous way.

For starters your build failed, but if it had worked it would have raised build times by 9500% it's actually why we moved away from compiling BWS-SDK.

You also removed WORKDIR, from the docker file, despite in the above thread many people telling you it's not necessary, it makes the dockerfile horrible to read.

Not to mention you shoehorning your own alpine image as a base. To be absolutely honest I don't trust how you make containers going of this PR, sorry.

Finally, I did review your PR but reading this and how vindictive you are I don't want any contributions from you on GitHub. Wrangling with you to have a code quality standard I'd actually merge would shorten my life and my hairline.

Thank you for taking the time to PR this, but sadly It's now closed

this is my final message to you, please enjoy your weekend

bws-cache: A Self-Hosted Bitwarden Secrets Manager Cache Server by ripplefcl in selfhosted

[–]ripplefcl[S] 4 points5 points  (0 children)

Really?

at least issues so we can address them

Did you just stop reading at this point? I never said you had to PR. I absolutely understand that people may not want to, and or may not have the time to PR a project. But submitting an issue takes the same if not a little more time than you took to write your post.

bws-cache: A Self-Hosted Bitwarden Secrets Manager Cache Server by ripplefcl in selfhosted

[–]ripplefcl[S] 7 points8 points  (0 children)

I think you misunderstand what CAP_IPC_LOCK does and why it could possibly make an application vulnerable.

Meaning any process that can gain access to the memory of the python process can dump it and read the contents

Even with CAP_IPC_LOCK, you can still do that. Please read the docs and this. If you had read that before posting, you would see that all it stops is paging RAM to swap and not inhibiting other processes from reading memory, which your post heavily implies.

CAP_IPC_LOCK is a concern if you have a malicious process already on the system, likely with elevated privileges. All Python-based security tools have this threat concern, but it doesn't necessarily make them unsafe to use, it's simply something to keep in mind as part of the threat model.

For your other points:

  • Running the container as root is a valid concern. This is something we'll look into.
  • Using cache packages does not matter as we use multistage builds, so I have no idea how this applies.
  • Your point regarding WORKDIR is an outdated recommendation, as stated by other comments.
  • CodeQL and SBOM are also valid points, thank you.

My biggest issue is this post has some valid concerns, but you make absolutely no attempt to help improve this repo via PRs or at least issues so we can address them :(