Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
firesteelrain 5 days ago

I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth

progbits 5 days ago | parent | next [-]

I agree, but I'm not spending my time arguing with PCI auditors.

Also it's safer from supply chain attacks. Malware inserted via compromised docker hub tokens is a growing threat.

firesteelrain 5 days ago | parent | next [-]

Right, I deal with NIST 800-53 based things where we have heavy albeit manual auditing. We pull from Iron Bank mostly but also employ Nexus Firewall. People can’t pull direct Docker Hub.

password4321 4 days ago | parent [-]

Yes, if you need someone else to work on securing your Docker base images for free, you can get more info about the US Air Force Platform One IronBank at https://docs-ironbank.dso.mil/faq

> Currently there is no cost to contributors or users for Iron Bank. It is a service currently funded by the US Department of Defense.

You can poke around for their public Dockerfile's to build yourself at https://repo1.dso.mil/explore (for example: https://repo1.dso.mil/dsop/opensource/debian/debian12.x/debi...) but to do much useful you'll need an account.

Another organization in Platform One, Big Bang uses IronBank containers to implement a reference DevSecOps CI/CD architecture; I mention them because they maintain a mirror at https://github.com/DoD-Platform-One/bigbang

mdaniel 4 days ago | parent [-]

A reference CI/CD architecture with a 2466 line helm values.yaml, whew <https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/chart...>

I have no idea who would win in a fight between people with literal guns and IBM's legal team <https://repo1.dso.mil/big-bang/product/packages/vault/-/blob...> vs <https://github.com/hashicorp/vault/blob/v1.20.2/LICENSE>. I guess to their credit, they do say at the top "licensing is complicated" but then go on to cite the old actual open source license that no longer applies https://github.com/DoD-Platform-One/bigbang/blob/3.5.1/docs/...

cmckn 5 days ago | parent | prev [-]

Constantly updating to the latest version of innumerable software projects is safer from supply chain attacks? :)

My experience has been that the cost of “patching” is often bugs and instability, having gained nothing security-wise.

5 days ago | parent | prev [-]
[deleted]