| ▲ | getcrunk 4 hours ago | ||||||||||||||||||||||||||||||||||||||||||||||
I think we are at the point where everyone really needs to run each project in its own vm. Given the recent lpe vulns docker 100% won’t cut it. And containers were never meant primarily as a security boundary anyways | |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | Gigachad 2 hours ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
QubesOS had the right idea. You want layers and layers of security, with multiple VMs at the root. | |||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | omcnoe 2 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
Devcontainers (I know it's not a full VM, but it's most prominent version of this "isolated development environment" concept) wouldn't fully protect you against this. Github credentials are automatically pulled into the container. If you are using other cloud services that need to be accessed within the container, this cred stealer will grab their creds too. It would limit the blast radius, which at least is an improvement. | |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | 9cb14c1ec0 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
Or a vm per container, if you insist on containers. I've have a couple of relaxed weeks recently due to running everything on VMs rather than some random Kubernetes service. | |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | einpoklum 4 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||||||||
Luckily, projects using more secure language ecosystems like C and C++ are spared this kind of problems :-) | |||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||