Potential problem with update-lxcs-cron.sh?

[thibaultmol]

I want to be very clear: I don't want to cast doubt on the security of you @tteck
I'm just thinking about all the things that could happen. And one of those things is:
The LXC cron updater script makes it so that every time the cron job is run, it downloads the script from the github page.
My question is: isn't possible to just have that script local? IF SOMEHOW the github repo got compromised then this malicious script will be cron job downloaded on (potentially) a large amount of systems that use your scripts.

Again, just something I've been thinking about

[tteck]

Sure, download the cron-update-lxcs.sh and modify it to follow your local path.

[thibaultmol]

That was indeed what I was going to do. But maybe this would be a good thing to change in the actual script itself. So that others also can't have this potential problem

[tteck]

The concept here is that if any updates or modifications are required for the update-lxcs-cron.sh script, it is automatically implemented for the end user (which is your initial concern). This is intended as a feature. However, if you opt for the local route, the responsibility for making any updates to the script would be on your end.

[tteck]

IF SOMEHOW the github repo got compromised

I prioritize site security and place a high emphasis on ensuring the safety of source code repositories. While GitHub is generally recognized as a secure platform for hosting and managing code, I take meticulous steps to eliminate vulnerabilities in the access procedures.

[towerhand]

Thanks tteck. With that in mind, would it be possible to add a check for the "update" command (that you added in your newer scripts) within the lxc and run it if found? That way, we can also keep the applications up to date by using the update-lxcs and update-lxcs-cron scripts instead of the user having to log in and run the "update" command individually.

[tteck]

I don't think so, some application updates are not unattended.

[towerhand]

What about adding the option to the update script to run it unattended? For example, "update -y1" on the Vaultwarden LXC, where "y" is for yes and "1" is for the first option on the list (1 VaultWarden 1.30.1). From there, users can set up a cron job to update the application regularly if they want to.