Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cortesoft 3 days ago

> Every single package, every single dependency, that has an actively exploited security flaw is being exploited in the Docker images you're using, unless you built them yourself, with brand new binaries.

I don't quite understand what you mean with this part

DiabloD3 3 days ago | parent [-]

Docker images are built with binaries that have unpatched security bugs. They will continue to have them because the people building them do not care and do not understand how to actually build images.

If you build the images, and you either source binaries from a clean source or build them yourself, then your images might actually be sane. People and companies can automate this, and some do as part of their orchestration strategy.

Most people want the promise of Docker but don't want to have to actually learn how to orchestrate, and shoot themselves in the foot with images they got from some random dude on DockerHub, and no matter how much people try to educate them it just never sinks in.

cortesoft 2 days ago | parent | next [-]

Ok, but that seems different than:

> Every single package, every single dependency, that has an actively exploited security flaw is being exploited in the Docker images you're using

This says that every exploit in a docker image you use IS BEING exploited, not that it COULD BE exploited.

benterix 3 days ago | parent | prev [-]

But you are aware that most orgs do scan images, right? It's like Docker 101.

DiabloD3 2 days ago | parent | next [-]

Haha, some do, and then don't know what they're looking for.

Companies getting pwned because of Docker image hygiene issues should never make it to the HN front page.

They still do.

If your system does not involve an automatic CI loop of "new package/upstream source code/somebody else's Docker image (yuck)" -> "testing" -> "some sort of staged rollout to prod", then do not use Docker. If you are doing this, then you have better choices than Docker.

Fun fact: From Kubernetes, I can orchestrate actual VMs that startup faster, use less resources, and use my CPU's hardware virtualization instructions and, on top of that all, offer a Docker-compatible API to interface with legacy tools!

It's called Firecracker. Its KVM, underneath, the only tech I'm willing to use, after having used everything. Everyone gets to have their ridiculously overcomplex APIs, I get to have my actually working VMs.

jeroenhd 3 days ago | parent | prev [-]

Some orgs definitely scan images! I wouldn't say most, though.