cross-posted from: https://lemmy.world/post/26728988
Hi - I’m rebuilding my homelab and want to give docker compose another try. It looks like Watchtower is years out of date now. I see two forks that look more promising per https://techgaun.github.io/active-forks/index.html#https://github.com/containrrr/watchtower
These two: https://github.com/beatkind/watchtower https://github.com/nicholas-fedor/watchtower
The former seems to have more activity. What are you all using?
Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?
The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.
It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.
Also the project does not really look that abundant to me.
EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?