Minio is vulnerable

[francoism90]

Sail Version

1.46.0

Laravel Version

12.x

PHP Version

8.4.x

Operating System

Linux

OS Version

6.16

Description

Minio has decided to not publish any Docker images anymore: minio/minio#21647

This means current users have a CVE, because the Docker image doesn't provide any (security) updates anymore.

I think Sail should move on to something different, which also is compatibel with S3 and has a better license model.

S3 testing is very useful, it also provides an easy way to manage (storage) volumes.

Steps To Reproduce

1. Add minio when setting up Laravel Sail
2. Expect no CVEs

[bram-pkg]

Curious to see what Sail goes for to replace Minio. We are currently looking at alternatives for our own custom docker compose setup, and so far have found SeaweedFS and GarageHQ. Both seem decent. Somebody on the Hackernews thread also mentioned RustFS.

[DarkGhostHunter]

RustFS seems like the drop-in replacement for Min.io. I would rather use that than a software that rugpulls constantly.

Also, not only the docker images are vulnerable, but unsupported. Given that, the images should be removed and replaced ASAP.

[francoism90]

@bram-pkg From my first impressions, it seems SeaweedFS is very nice, but also more complex compared to MinIO. Garage seems like a good replacement, but it seems relatively new?

@DarkGhostHunter RustFS seems to be very experimental (not production ready), but indeed seems to be the best alternative. The https://github.com/rustfs/rustfs/blob/main/docker-compose.yml seems to have many services, but it doesn't seem everything is needed.

[DarkGhostHunter]

Seems it only needs the main docker service.

[francoism90]

Edit: Oops! I thought you commented on Minio lol.

Yeah, it only seems to need that one. :)

[DarkGhostHunter]

Just to add, I'm looking for a drop-in replacement, hopefully with some kind of UI to manage on development.

RustFS seems like the most direct alternative for this (drop in, S3 compatibility), but I'm hearing other alternatives. I saw Garage and I liked it, but it requires some bootstrap and looks like you cannot change anything outside its config file (when you want to use an .env file).

[bram-pkg]

AFAIK you can reference environment variables in the Garage config

[DarkGhostHunter]

AFAIK you can reference environment variables in the Garage config

Does it requires a config file anyway?

Just trying to find a drop-in replacement. I imagine other developers would too, if the update their Laravel Sail installation.

[bram-pkg]

It could be an easy replacement, if the Sail repository included a sensible config file for Garage.

SeaweedFS would be easier in the sense that it can be configured entirely from command line parameters.

[DarkGhostHunter]

If that config file can retrieve the environment variables from the .env file, I'm in. Otherwise, seems that SeaweedFS could be the next in line. Dunno about the latter in term of stability, but since it's a development environment, as long it works like Minio.

[francoism90]

@bram-pkg @DarkGhostHunter I have created a PR for this, could you please check it out? :)

I can test this after the weekend, but if it works for you, I can update the PR to ready (or add any changes needed).

[francoism90]

@bram-pkg I think SeaweedFS is more complex: https://raw.githubusercontent.com/chrislusf/seaweedfs/master/docker/seaweedfs-compose.yml

Please correct me if I'm wrong, but it seems to need multiple services, and a lot more ports.

[bram-pkg]

That's not true. All the necessary things can just run in one container when you pass -s3

[francoism90]

@bram-pkg If you can show me, please! :)

I'm happy to also add SeaweedFS.