Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Safety Request] Official and reproducible docker builds, and repo builds for Debian & RHEL ecosystems | 官方的, 可重现的 Docker builds,以及申请纳入 Debian 和 RHEL 生态系统的 repo builds. #2837

Closed
R8s6 opened this issue Dec 21, 2023 · 4 comments
Closed

[Safety Request] Official and reproducible docker builds, and repo builds for Debian & RHEL ecosystems | 官方的, 可重现的 Docker builds,以及申请纳入 Debian 和 RHEL 生态系统的 repo builds. #2837

R8s6 opened this issue Dec 21, 2023 · 4 comments

Comments

@R8s6
Copy link
Contributor

R8s6 commented Dec 21, 2023
edited
Loading

Docker builds can be used on virtually any Linux distros.

Currently there are 2 "endorsed" docker builds:
iamybj/docker-xray
teddysun/xray

But questions arise immediately: who are iambj and teddysun anyways? Are they core developers of this project? Why can they be trusted?

There's seemingly no quick answers to their trustworthiness or identities (which, to their benefits, should be well protected from ccp anyways), and because chinese government can, as they wish, arrest and prosecute any person who tries to get past GFW, this is a sensitive issue with regards to the devs' and users' personal safety.

So it is utterly important to provide chain of trust from the source code to the docker builds, such that the docker builds are built exactly from the source code.

On a lower priority, the same reasoning applies to my humble request for Debian & RHEL builds, too, because, if xray were accepted by debian or redhat linux, the package will have trusted maintainers, and this would make xray available and trustworthy for most servers.

Thank you very much.

中文

Docker builds 可以在几乎任何 Linux 发行版上使用。

目前有两个被链接的 Docker builds:
iamybj/docker-xray
teddysun/xray

但我們难免立刻会问:iamybj 和 teddysun 到底是谁?他们是这个项目的核心开发人员吗?为什么可以信任他们?

对于他们的信誉或身份,似乎没有快速的答案(这些信息免于被中国政府得知对他们个人来说其实是很好的),而由于中国政府可以逮捕和起诉任何一个尝试翻墙的人,这里提到的 docker build 的问题涉及到开发人员和用户的个人安全。

因此,从源代码到 Docker 构建提供信任链是非常重要的,以确保 Docker build 是完完全全从源代码精确构建的。

在较低的优先级上,同样的推理也适用于我对 Debian 和 RHEL builds 的谦虚请求,因为如果 xray 被 Debian 或 RedHat Linux 接受,该软件包将拥有可信的维护者,这将使 xray 在大多数服务器上是可用并且可信的。

非常感谢。
@R8s6
Copy link
Contributor Author

R8s6 commented Dec 29, 2023

Found official docker repo (发现官方 docker):
https://ghcr.io/xtls/xray-core

It's actually always been there under "packages" on the right side of the main page.

I added a simple line to README.md, which is now merged.

case closed.

@R8s6 R8s6 closed this as completed Dec 29, 2023
@RPRX RPRX mentioned this issue Apr 26, 2024
Merged
RPRX added a commit that referenced this issue Apr 26, 2024
@RPRX
README: Remove iamybj/docker-xray
a476310 
#2459 (comment)

Fixes #2837
@RPRX
Copy link
Member

RPRX commented Apr 26, 2024

感谢你提的 issue,a476310 已移除 iamybj/docker-xray 并显著标注两处 Official

可以信任 @teddysun其实他的也相当于 Official

看到 tempest 是 @Fangliding 加的,@Fangliding 来说明一下情况,不过这个是开源脚本应该没问题

@Fangliding
Copy link
Member

Fangliding commented Apr 26, 2024
edited
Loading

@RPRX 我朋友写的 非常简短随便看
最开始就是觉得为什么官方脚本这么长

@teddysun
Copy link
Member

可以信任 @teddysun其实他的也相当于 Official

感谢大佬信任。
用于制作 Docker Image 的 Dockerfile 早已开源。
其编译脚本 build_xray.sh 在此。

与此同时目前我还维护着 xray 的 rpmdeb 包制作。
使用方法:
https://teddysun.com/666.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@teddysun @R8s6 @Fangliding @RPRX