| ▲ | supriyo-biswas 5 days ago |
| What probably carries more value is the helm charts that they provide which are also on their way out. The images themselves have official replacements (for example, looking at https://hub.docker.com/u/bitnami why wouldn’t I use Node or Postgres images from the official sources instead). I have no idea how many people actually used their helm charts though. |
|
| ▲ | progbits 5 days ago | parent | next [-] |
| They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution. |
| |
| ▲ | firesteelrain 5 days ago | parent [-] | | ChainGuard is $$$$$$$ We talked to them a couple years ago. A lot of what they are doing besides Wolfi is using Alpine which removes alot of findings by default | | |
| ▲ | progbits 5 days ago | parent | next [-] | | Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time. Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves. The GPU images are indeed very expensive though. | | |
| ▲ | firesteelrain 5 days ago | parent [-] | | I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth | | |
| ▲ | progbits 5 days ago | parent | next [-] | | I agree, but I'm not spending my time arguing with PCI auditors. Also it's safer from supply chain attacks. Malware inserted via compromised docker hub tokens is a growing threat. | | |
| ▲ | firesteelrain 5 days ago | parent | next [-] | | Right, I deal with NIST 800-53 based things where we have heavy albeit manual auditing. We pull from Iron Bank mostly but also employ Nexus Firewall. People can’t pull direct Docker Hub. | | | |
| ▲ | cmckn 5 days ago | parent | prev [-] | | Constantly updating to the latest version of innumerable software projects is safer from supply chain attacks? :) My experience has been that the cost of “patching” is often bugs and instability, having gained nothing security-wise. |
| |
| ▲ | 5 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | Sparkle-san 4 days ago | parent | prev | next [-] | | For what it's worth, their pricing has decreased substantially over the last year. Their most recent quote to us was about 25% of the one we received a year or so ago. | | |
| ▲ | progbits 4 days ago | parent [-] | | For some more transparency, we pay ~$9k/year per image (all versions/variants) for some basic images (think python, golang etc). The ones with cuda drivers are more expensive but I don't have the exact prices on hand. |
| |
| ▲ | AsmodiusVI 4 days ago | parent | prev [-] | | Docker isn’t nearly the same $$$. Their catalog is growing. | | |
|
|
|
| ▲ | asmor 5 days ago | parent | prev [-] |
| Some other open source projects have also shipped Bitnami software in their own helm charts, i.e. APISIX's etcd instance is the Bitnami chart pulled in as a dependency. Not that it ever worked well, we had to scale it to 1 because the quorum would constantly break into unrecoverable states. |
| |
