Bitwarden Statement on Checkmarx Supply Chain Incident

https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

The Bitwarden CLI was compromised.

"The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.

The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data."

@jdaviescoates RustFS is available in unstable now. Would that suit?

@nebulon Oh, well done, nebulon. Wouldn't this work for the S3 addon for cloudron? Anyway, I shall delete the request, since you are already ahead of me!

• • Main Page: https://rustfs.com
• • Git: https://github.com/rustfs/rustfs
• • Licence: Apache 2.0
• • Dockerfile: Yes (Dockerfile, Dockerfile.glibc, Dockerfile.source, plus docker-compose.yml and an official image at rustfs/rustfs:latest)
• • Demo: https://play.rustfs.com

• ---

• • Summary:

• RustFS is a high-performance, S3-compatible distributed object storage system written almost entirely in Rust (98%+ of the codebase). It is positioned explicitly as a drop-in replacement for MinIO, with binary-level migration compatibility documented by the upstream team, and it is one of the few serious contenders in this space released under a permissive Apache 2.0 licence rather than AGPL v3.

• The project ships single-node and distributed modes, full S3 core API coverage, versioning, bucket replication, bitrot protection, WORM object locking, event notifications, server-side encryption via RustyVault, and a web console on port 9001 with the S3 API on port 9000. Lifecycle management, distributed mode polish, and the RustFS KMS are currently marked as under testing. Helm charts, a Nix flake, and multi-architecture Docker images (linux/amd64, linux/arm64) are all provided upstream, so Cloudron packaging should be reasonably straightforward.

• Momentum is real: 21.3k GitHub stars, 924 forks, 91 contributors, 2,306 commits, 83 tags, and the project was recently accepted into the NVIDIA Inception Program (April 2026) and featured in the Runa Capital ROSS Index Q4 2025 fastest-growing open-source startups list.

• ---

• • Notes:

• Why this matters for Cloudron now: MinIO's community edition effectively stopped receiving features and has gone into maintenance mode, with the upstream GitHub repository archived in February 2026. The Cloudron MinIO package maintainer has already advised users not to auto-update and to plan migrations. Garage is the other open source alternative currently being packaged by the community, but it is AGPL v3 and its two community packages are not yet in the official store. SeaweedFS is the pragmatic official option today (Apache 2.0, already packaged), but RustFS is the most direct functional replacement for MinIO specifically, which matters for anyone with existing tooling, mc muscle memory, or apps configured against a MinIO endpoint.

• Licence advantage: Apache 2.0 is a genuine differentiator. Anyone packaging Cloudron apps or wrapping object storage into a downstream product avoids AGPL reciprocity obligations entirely, which is not the case with Garage or with AGPL-era MinIO.

• Concerns worth flagging honestly:

• • Still alpha. Current releases are tagged v1.0.0-alpha.* (alpha.76 at time of writing). The upstream Feature & Status table marks distributed mode, lifecycle management, and KMS as under testing. This is a staging-first, production-soon project.
• • Security posture has been a topic of concern: a hardcoded static token CVE was disclosed earlier (see the project's GitHub security advisories), and the initial CLA was criticised as overreaching. The team has since revised the CLA to a standard License Grant model where contributors retain ownership, and they have publicly committed to keeping the core repository permanently open source. Worth reading the security advisories tab before deploying.
• • Marketing copy on rustfs.com leans hard and has some translation artefacts. The actual engineering, reflected in the GitHub repo and commit activity, is significantly more substantial than the marketing suggests.

• Packaging effort estimate: Low to moderate. Official multi-arch Docker images, a published docker-compose.yml, a helm chart at charts.rustfs.com, and a standard two-port exposure model (9000 API, 9001 console) make this a straightforward Cloudron packaging target. Default credentials are rustfsadmin/rustfsadmin and should be rotated at first boot via env vars. Persistent paths are /data and /logs with a non-root UID of 10001. Backup-wise, the data and logs directories are the full surface area for a single-node install.

• Given the MinIO situation, having RustFS alongside SeaweedFS in the Cloudron store would give self-hosters a clear Apache 2.0 migration path for existing MinIO workloads without waiting for the Garage community packages to mature.

• ---

• • Alternative to / Libhunt link:
• • AlternativeTo: https://alternativeto.net/software/rustfs/
• • Libhunt: https://www.libhunt.com/r/rustfs
• • Listed as a MinIO alternative on: https://www.libhunt.com/r/minio
• • Screenshots / brand logo:
• • Live demo console: https://play.rustfs.com
• • Performance demo video and architecture diagrams in the upstream README: https://github.com/rustfs/rustfs#readme
• • Brand logo and homepage screenshots: https://rustfs.com

@ekevu123 said:

This is fixed in the next release coming up today!

It is brilliant to have the developer on Cloudron! Thank you, @ekevu123

@jdaviescoates This is exactly why I use the privatebin. Cloudron staff don't want ai content on the forum. There are good reasons for this. To try and oblige, yet still attempt to help, I use the privatebin for that. There are problems with that too, eg having to go off the forum if you want to read it, and if the pastebin site goes down it is not good for the forum SEO.

The only alternative I can see is a policy of, "If you don't have anything human to say, don't say it at all." There could be some value to that, but I think as time goes on, AI will become increasingly useful in debugging, packaging and we might even want an entirely ai user in the future, who knows. Maybe we could have an ai section to the forum?

It is also hard to judge whether some of it might be useful.

As it stands, I am aware most people tend to not value what my ai provides at the moment. I don't want to spam people.

Small bug in agate+ start.sh, tmpfs wipes /tmp/proxy/ on restart

---

TL;DR: /tmp is tmpfs on Cloudron, so /tmp/proxy/*.sh vanishes on every restart. Line 52 cp fails, set -e kills start.sh before supervisord launches, nothing binds :8000, healthcheck loops forever. Wrap the cp block in if [ -f /tmp/proxy/restart-proxy.sh ]; then ... fi.

---

Hi @timconsidine! We ran into a restart loop on agate+ today and wanted to flag the cause in case others hit it too.

Symptoms in the app logs:

cp: cannot stat '/tmp/proxy/restart-proxy.sh': No such file or directory
=> Healthcheck error: Error: connect EHOSTUNREACH 172.18.x.x:8000

What's happening

In normal run mode on Cloudron, /tmp is backed by a fresh tmpfs on every container start, which shadows the /tmp/proxy/ files baked into the image. So the cp on line 52 of start.sh fails, set -e aborts the script, and exec supervisord on line 154 never runs. healthcheck.js never binds port 8000, Cloudron healthcheck fails, container gets restarted — and round it goes forever.

The copied files already exist in /app/data/ from the first install anyway, so the cp is really only needed on fresh installs.

(In debug mode the tmpfs overlay isn't applied, so the files are visible and the app starts fine, which made it a bit confusing to diagnose at first.)

Suggested fix

Guard the proxy-file copy block so it's a no-op when the source isn't there:

if [ -f /tmp/proxy/restart-proxy.sh ]; then
  cp /tmp/proxy/restart-proxy.sh /app/data/restart-proxy.sh
  cp /tmp/proxy/register-new-instance.sh /app/data/register-new-instance.sh
  cp /tmp/proxy/deregister-instance.sh /app/data/deregister-instance.sh
  chmod +x /app/data/register-new-instance.sh /app/data/deregister-instance.sh /app/data/restart-proxy.sh
fi

Alternatively, stage those helpers somewhere persistent (e.g. ship them in /app/code/proxy/ and copy from there) so they survive the tmpfs reset on every restart, not just on fresh installs.

Tested the guarded version on our instance and it's back up and running cleanly. Happy to open an MR if useful.

This project has been gathering steam since it was first requested. Quite a few more contributors:

https://paste.wanderingmonster.dev/?47678a83fbcc87b4#A5dfMqhaUyv8PZpCLXLg7j7USAP8Aw7BSeWKv9ujqfHs

@timconsidine thanks. This was on my own version. I haven't got round to trying yours yet Tim, but yours is the one people should try.

Follow-up: one more config.yml directive needed to avoid Cloudron healthcheck failures

A week or so after getting our production instance working, it silently went unhealthy on us. Worth documenting for anyone else who follows this guide, because the symptom is confusing and the fix is trivial.

Symptom

The Cloudron dashboard shows the app as "not responding", or the browser shows a Cloudron error page instead of docassemble. Inside the container, everything looks healthy:

# supervisorctl status
celery           RUNNING
celerysingle     RUNNING
cron             RUNNING
main:initialize  RUNNING
nginx            RUNNING
uwsgi            RUNNING
websockets       RUNNING

Meanwhile, the Cloudron app log fills up with this, every ten seconds, indefinitely:

=> Healthcheck error got response status 501
=> Healthcheck error got response status 501
=> Healthcheck error got response status 501

And docassemble.log shows repeated entries like:

docassemble: ip=172.18.0.1 i=docassemble.base:data/questions/default-interview.yml uid=None user=anonymous 2026-04-16 20:47:50 Not authorized

What is actually happening

Docassemble is fine. uWSGI is answering requests. The problem is that it is answering Cloudron's healthcheck probe of / with HTTP 501 NOT IMPLEMENTED.

Testing from inside the container confirms this:

# curl -sI http://localhost:8080/
HTTP/1.1 501 NOT IMPLEMENTED
Server: nginx
Content-Type: text/html; charset=utf-8

This is docassemble's deliberate behaviour when an anonymous user hits the root URL and there is no default interview set and no root redirect configured. It falls through to the factory default interview (docassemble.base:data/questions/default-interview.yml), which refuses anonymous access and returns 501 with a "Not authorized" body. There is even a dedicated /static/app/501.min.js in the response HTML, so this is a well-worn code path upstream.

Cloudron's healthcheck expects a 2xx or 3xx at the probe path. 501 trips the unhealthy marker, and after a few failed probes Cloudron stops proxying user traffic to the app. The app is then effectively offline to users even though it is running normally internally.

The fix

Add a single directive to /app/data/config/config.yml:

root redirect url: /user/sign-in

Then restart uWSGI from inside the container (via the Cloudron terminal):

supervisorctl restart uwsgi

After this, / returns a 302 redirect to /user/sign-in, which returns 200, and Cloudron's healthcheck is satisfied. The sign-in page is a sensible default landing for a private docassemble instance anyway.

Verification from inside the container:

# curl -sI http://localhost:8080/
HTTP/1.1 302 FOUND
Location: /user/sign-in

Give Cloudron 30-60 seconds to pick up the healthy state. The app will come back online in the dashboard.

Why this probably didn't bite us during the initial packaging

Best guess is an upstream behaviour change in docassemble itself. Earlier versions may have redirected anonymous root requests to the sign-in page automatically; current versions return 501 unless root redirect url or default interview (with anonymous access enabled) is explicitly set. It works on first install because the default interview loads once and caches, then fails later when cache conditions change or the app is redeployed.

Suggested addition to the packaging guide

Two options for handling this in the package itself, either of which would remove the manual step:

1. Have start.sh ensure root redirect url: /user/sign-in is present in the generated config.yml if neither root redirect url nor default interview is set by the user.
2. Add it as a default to the config template, so any new install gets it on first boot.

Option 1 is safer because it will not override a user who has deliberately set one of those directives.

Happy to PR this into the repo if there is interest.

@joseph We've done a structured evaluation of the official cloudron-app-packaging skill, and I'd like to share the results with you privately before deciding whether any of it should be more visible. I can't upload files in the chat.

@joseph There is a packaging skill? Wow! I didn't know about that. Thank you. I might try it. Having a package instead of an evaluation would be much better!

Its ashes are scattered to the wind. It shall not darken our doors again.
I shall clean them up, if you spot any of its remains.

Sorry about that.

@joseph I shall kill that monster and eradicate its remains

@ekevu123 Yes, I take your point. I did these in a batch, catching up on several apps on the wishlist all at once, so their appearance all at once is a bit of a distraction.

Also, I accept that they most people so far don't find them useful. I doubt we shall see these Wandering Monster reports in the future, unless there is some way to have them improved.

@ekevu123 Hey, thanks for developing this application! Thanks also for being on Cloudron - it is brilliant to have developers interested in having their applications packaged. Thank you also for your feedback on the automated report.

It is beginning to look like this "Wandering Monster's" days are numbered!

@timconsidine This is a good point. If I do try these in the future, I shall be sure of checking if they are packaged first. It is useful to check if the estimates prove accurate though.

Can you remember if this was actually hard?

@timconsidine Well done on that. Was it really a relatively easy one to do?

@jdaviescoates I shall hold off posting any more of these till there is some consensus on whether they might be made useful.

sorry about the noise!

@jdaviescoates Thanks, I was just processing a batch of them, and didn't check carefully if they had been packaged yet.

One thing that would be useful is to find where these reports stray. If they are just noise, I will definitely stop the monster, but if they can be adjusted to be more helpful, I shall try that.

This one was particularly clear that it was a no-no, yet it manged to be packaged!