undefined | Better HN

0 pointsX86BSD10y ago0 comments

It's not that the paper is wrong for only focusing on Linux "containers".

It's that the paper, while describing the security short comings of the various solutions, illustrates the echo chamber I refer to.

"We have these security issues, that others do not have, but we are not going to look at how they solved these issues because, well, Linux!"

The paper, IMO, would have better served the audience had it included ideas and/or solutions people outside Linux-land developed to solve some of these issues that were written before Linux even attempted a "container".

You are free to disagree.

0 comments

5 comments · 1 top-level

Scarbutt10y ago· 4 in thread

and how do you know the others solutions are really secure? Linux is going to get the most eyes, critics, scrutiny on this because is way more widely used than the other platforms that provide similar technologies.

AdieuToLogic10y ago

  and how do you know the others solutions
  are really secure? Linux is going to get
  the most eyes, critics, scrutiny on this
  because is way more widely used ...

This is commonly known as the "given enough eyeballs" fallacy[1]. While it might help when more people have an opportunity to review security critical subsystems, a given OS' popularity certainly does not guarantee this. Heartbleed[2] is often cited as an exemplar for this very situation.

1 - http://www.amazon.com/Facts-Fallacies-Software-Engineering-R...

2 - https://en.wikipedia.org/wiki/Heartbleed

dap10y ago

Because not only did the engineers who built it consider how the architecture would ensure security, they wrote all of the considerations and design choices down.[1] Even if they were completely wrong about everything, there's no reason to simply ignore all the thought that's been put into this problem.

[1] https://us-east.manta.joyent.com/bcantrill/public/ppwl-cantr...

i4k10y ago

Linux being secure is a fallacy too.

Spender talks about it for a long time: https://grsecurity.net/~spender/interview_notes.txt

Linux developers fix security bugs in irresponsible ways, saying nothing about the attack vector or CVE's involved. Sometimes multiple vulnerabilities are addressed in the same patch, making hard to track the fix.

For more information see the exploit below: https://grsecurity.net/~spender/exploits/64bit_dos.c

The list of kernel vulnerabilities involving namespaces is bigger each day, as the paper shows, but the industry still uses "container" and "security" in the same quotes.

pyvpx10y ago

other than something like seL4, no one _knows_ what is really secure. however it would be hard to argue that a decade+ of container systems such as FreeBSD Jail and Solaris' functional equivalent (the precise name escapes me) don't have useful lessons "Linux can learn from".

j / k navigate · click thread line to collapse