Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
pixl97 6 hours ago

>are all built continuously from upstream source

2. Isn't there a slight risk of upstream attacks being amplified by this? With the recent number of software compromises providing a way for people to use images X days old may be useful.

3. This ties into 2, if someone downloads and uses an image that is later found to be compromised they mostly have no way of being notified that happened. Not a huge issue, but is something that should be risk assessed.

hobofan 4 hours ago | parent | next [-]

> 2. Isn't there a slight risk of upstream attacks being amplified by this?

I think the argument would be that consuming Minimus' containers would have a less severe amplification (or even reduction), as all upstream attacks that rely on a combination of third-party vulnerabilities would be rendered infeasible (since they reduce the amount of third-party dependencies in an image).

> 3. This ties into 2, if someone downloads and uses an image that is later found to be compromised they mostly have no way of being notified that happened.

For this you need a consumption-aware scanner anyways (e.g. that lists images running in your Kubernetes). Anything else will be too spammy, as you can't notify for everything for you have at some point in time have used as a base image.

morellonet 4 hours ago | parent [-]

Also note that one of the features of Enterprise Edition is our integrations with Slack, email, GitHub, webhooks, etc. This enables really simple but powerful notification and automation scenarios based on image fixes (amongst other triggers like a version you're using going EOL).

For example, with EE, you can create an action to automatically trigger a webhook or send a Slack message when an image you're using has a critical CVE that's likely to be exploited (we also integrate threat intel from EPSS, KEV, etc).

Definitely still value in having runtime scanning / visibility too, but EE makes it easy to do purely on the 'left' side of things too.

s_ting765 5 hours ago | parent | prev [-]

Pausing software updates by X days old is a hack at best for specific distribution platforms (npm), not a general security recommendation.