Merge pull request #3327 from Kriechi/docker-notice

add docker security warning

5 files changed, 19 insertions, 6 deletions

diff --git a/release/cibuild.py b/release/cibuild.py
index 6264c72b..ba17ced2 100755
--- a/release/cibuild.py
+++ b/release/cibuild.py
@@ -312,7 +312,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag,
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/Dockerfile",
+        "--file", "release/docker/Dockerfile",
         "."
     ])
     subprocess.check_call([
@@ -321,7 +321,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag + "-ARMv7",
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/DockerfileARMv7",
+        "--file", "release/docker/DockerfileARMv7",
         "."
     ])
 
diff --git a/docker/Dockerfile b/release/docker/Dockerfile
index bbe88c9d..7c9a2421 100644
--- a/docker/Dockerfile
+++ b/release/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.7
+FROM alpine:3.8
 
 ENV LANG=en_US.UTF-8
 
@@ -33,7 +33,7 @@ RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
 
 VOLUME /home/mitmproxy/.mitmproxy
 
-COPY docker/docker-entrypoint.sh /usr/local/bin/
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
 EXPOSE 8080 8081
diff --git a/docker/DockerfileARMv7 b/release/docker/DockerfileARMv7
index 2988b5e4..6e04b7ad 100644
--- a/docker/DockerfileARMv7
+++ b/release/docker/DockerfileARMv7
@@ -37,7 +37,7 @@ RUN [ "cross-build-end" ]
 
 VOLUME /home/mitmproxy/.mitmproxy
 
-COPY docker/docker-entrypoint.sh /usr/local/bin/
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
 EXPOSE 8080 8081
diff --git a/docker/README.md b/release/docker/README.md
index 6693de45..4511a33a 100644
--- a/docker/README.md
+++ b/release/docker/README.md
@@ -35,4 +35,17 @@ For further details, please consult the mitmproxy [documentation](http://docs.mi
 
 # Tags
 
-The available release tags can be seen [here](https://hub.docker.com/r/mitmproxy/mitmproxy/tags/).
+The available release tags can be seen
+[here](https://hub.docker.com/r/mitmproxy/mitmproxy/tags/).
+
+* `master` always tracks the git-master branch and represents the unstable development tree.
+* `latest` always points to the same image as the most recent stable release, including bugfix releases (e.g., `4.0.0` and `4.0.1`).
+* `X.Y.Z` tags contain the mitmproxy release with this version number.  
+* `*-ARMv7` are images built for Raspbian / Raspberry Pi systems.
+
+# Security Notice
+
+Dependencies in the Docker images are frozen on release, and can’t be updated in
+situ. This means that we necessarily capture any bugs or security issues that
+may be present. We don’t generally release new Docker images simply to update
+dependencies (though we may do so if we become aware of a really serious issue).
diff --git a/docker/docker-entrypoint.sh b/release/docker/docker-entrypoint.sh
index a4abe4ce..a4abe4ce 100755
--- a/docker/docker-entrypoint.sh
+++ b/release/docker/docker-entrypoint.sh