Docker Hub security dissed, dodgy container image data damned At DockerCon in San Francisco on Wednesday, CEO Steve Singh highlighted security as one of Docker's core principles. Only a day earlier, Germany-based security software development shop Kromtech suggested security wasn't a priority for the code containerizer. Over the past twelve months, Kromtech explained in a blog post, …
For instance, if you want to build a python -manylinux wheel (a binary package that will work on, wait for it, many versions of linux), the current specifications say you need to do it on a CentOS 5 image.
There's lots of shit like that out there.
Early on, I complained about the lack of cryptographically-signed Docker images and brought up the inherent problems of letting random people publicly post executable code (images) whenever they want, on the Github repo issues and was met with a brush off with “edge-cases” and a vague decision-by-committee deferment. These are the sort of developers whom chmod 777 and don’t understand the need for SELinux. I’ve concluded CoreOS and rkt are better solutions on the stack side, and that it’s stupid to use public containers in anything real... always build your own container base images from known-good, gpg-verified media/repos. Then and only they can you be sure this “easy sharing” BS isn’t dragging along noob mistakes/fragility or malware. Never get lazy by depending on random heaps of layered amateurism.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
