| ▲ | raesene9 5 days ago | |||||||
Yep differentiation is tricky here. Chainguard are expanding out to VM images and programming language repos, but the core of hardened container images has a lot of options. The question I'd be interested in is, outside of markets where there's a lot of compliance requirements, how much demand is there for this as a paid service... People like lower CVE images, but are they willing to pay for them. I guess that's an advantage for Docker's offering. If it's free there is less friction to trying it out compared to a commercial offering. | ||||||||
| ▲ | staticassertion 4 days ago | parent | next [-] | |||||||
If you distribute images to your customers it is a huge benefit to not have them come back with CVEs that really don't matter but are still going to make them freak out. | ||||||||
| ||||||||
| ▲ | thayne 4 days ago | parent | prev | next [-] | |||||||
> outside of markets where there's a lot of compliance requirements That includes anyone who wants to sell to the US government (and probably other governments as well). FedRAMP easentially[1] requires using "hardened" images. [1]: It isn't strictly required, but without out things like passing security scans and FIPS compliance are more difficult. | ||||||||
| ▲ | idiotsecant 5 days ago | parent | prev [-] | |||||||
Depends what type of shop. If you're in a big dinosaur org and you 'roll your own' that ends up having a vulnerability, you get fired. If you pay someone else and it ends up having a vulnerability you get to blame it on the vendor. | ||||||||
| ||||||||