undefined | Better HN

0 pointssubway7y ago0 comments

Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.

Beyond that, numerous escape exploits in linux containerization (and docker specifically) have popped up over the years, and many more are going to pop up over the coming years. This is not a mature space.

Running random binary code distributed from an non-curated source, even in a "container" is going to end in heartache.

0 comments

kuschku7y ago

And that’s why you should usually build your own images, and only trust docker images from the same people whose binaries you’d also trust with all your data.

(e.g. a docker image from RedHat may be okay, one from zhenghe8 likely not)

Sylos7y ago

> Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.

Thank you. This is something that I truly hate Google for. They constantly spread this mentality that isolation = nothing bad can ever happen to your data. And then they build a horrible permission system on top of that idea and leave everything else up to the user.

And as a result, the Google Play Store and Chrome Store are the most malware-filled app stores that I'm aware of.

Despite that, you still had people giving Firefox shit for not isolating add-ons, which however were thoroughly reviewed and as a result quite clearly less often subject to malicious intents.

And then something like the Web of Trust fiasco, where the add-on as a feature sends your browsing history out to the internet and then bad things happen there (the WoT devs sold the browsing data in an anonymized form that was shown to be deanonymizable rather easily), against that neither isolation nor a review can help, so we shouldn't act like any security technique is perfect. We still need users to think for themselves, even if that's bad for Google's business model.

j / k navigate · click thread line to collapse