this post was submitted on 26 Nov 2023
12 points (92.9% liked)

Hacker News

4123 readers
1 users here now

This community serves to share top posts on Hacker News with the wider fediverse.

Rules0. Keep it legal

  1. Keep it civil and SFW
  2. Keep it safe for members of marginalised groups

founded 2 years ago
MODERATORS
[email protected]
12
The Curse of Docker (computer.rip)
submitted 2 years ago by [email protected] to c/[email protected]
4 comments fedilink hide all child comments
 

There is a discussion on Hacker News, but feel free to comment here as well.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 2 years ago

Using containers from public registries is no worse than using third party software. In both cases there's a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I'd much rather manage runtime controls for containers than craft selinux policies.

The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular curl | sh ... is becoming for host based installs I'd argue that they are regressing in terms of safety and reproducibility.