Guess I don’t have to, the dev released a new update without analytics, scripts and fonts are internal and created an issue for running as root which someone’s assigned to. This project got some crazy momentum!

Yeah stirling has options to remove though, at least I remember seeing the option since the beginning and disabled it haha. Option to disable that should probably be a 3rd PR then got some work to do lol

More worryingly now looking at loaded JS again it loads an analytics JavaScript file too.

https://github.com/alam00000/bentopdf/blob/main/index.html#L9

Plan to if no one beats me to it… Just gotta find time when I am free and have the energy to program more.

Yeah very exciting project and to be honest a lot of popular services run as root by default. That said this ones harder to change from port 80 without changing the image. Could mount a nginx.conf to override probably though.

I believe you can just do the sha but it would be a similar affect pinning it to that sxact docker image, but doing so without version tag makes it harder for you to know what you are running.

The sha256 is generated by an algorithm based off of the bytes of the image wherr the tag is overwritable and pushed by the developer.

I want to swap to this but also want to do a few PRs but haven’t had the time.

• Dockerfile exposes port 80 and runs as root
• Less concerning, but dislike it, the scripts and CSS use remote cdns rather than being bundled locally

Otherwise I am excited for this. Stirling doesn’t really support replicating even with license and its fat image takes up a bit of my disk space for images.

Its also good practice to include the sha256 digest after the version like

DockerImage:v… @sha256:…

If you pull without digest and say the maintainers get compromised and release an update with the same version tag with malicious stuff in it, then you won’t pull it automatically since the digest does not match.