Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
progbits 5 days ago

Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time.

Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves.

The GPU images are indeed very expensive though.

firesteelrain 5 days ago | parent [-]

I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth

progbits 5 days ago | parent | next [-]

I agree, but I'm not spending my time arguing with PCI auditors.

Also it's safer from supply chain attacks. Malware inserted via compromised docker hub tokens is a growing threat.

firesteelrain 5 days ago | parent | next [-]

Right, I deal with NIST 800-53 based things where we have heavy albeit manual auditing. We pull from Iron Bank mostly but also employ Nexus Firewall. People can’t pull direct Docker Hub.

password4321 4 days ago | parent [-]

Yes, if you need someone else to work on securing your Docker base images for free, you can get more info about the US Air Force Platform One IronBank at https://docs-ironbank.dso.mil/faq

> Currently there is no cost to contributors or users for Iron Bank. It is a service currently funded by the US Department of Defense.

You can poke around for their public Dockerfile's to build yourself at https://repo1.dso.mil/explore (for example: https://repo1.dso.mil/dsop/opensource/debian/debian12.x/debi...) but to do much useful you'll need an account.

Another organization in Platform One, Big Bang uses IronBank containers to implement a reference DevSecOps CI/CD architecture; I mention them because they maintain a mirror at https://github.com/DoD-Platform-One/bigbang

mdaniel 4 days ago | parent [-]

A reference CI/CD architecture with a 2466 line helm values.yaml, whew <https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/chart...>

I have no idea who would win in a fight between people with literal guns and IBM's legal team <https://repo1.dso.mil/big-bang/product/packages/vault/-/blob...> vs <https://github.com/hashicorp/vault/blob/v1.20.2/LICENSE>. I guess to their credit, they do say at the top "licensing is complicated" but then go on to cite the old actual open source license that no longer applies https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/docs/...

cmckn 5 days ago | parent | prev [-]

Constantly updating to the latest version of innumerable software projects is safer from supply chain attacks? :)

My experience has been that the cost of “patching” is often bugs and instability, having gained nothing security-wise.

5 days ago | parent | prev [-]
[deleted]