undefined | Better HN

0 pointseastbound1y ago0 comments

You said it: Your versions were locked. Therefore it is not constantly up-to-date.

I was pinched myself: Security.

- With the cloud threats, everything needs to be constantly up-to-date. Docker images make it easier than permanent servers that need to be upgraded. We used to upgrade every week, now we’re upgraded by default. So yes, sometimes our images don’t start with the latest version of xyz. But this is rare, downgrade is easy with Docker, and reproduction on a dev engine easier.

- With the cloud threats, everything needs to be isolated. Docker makes it easy to have an Alpine with no other executable than strictly necessary, and only open ports to the required services.

I hate the cloud because 4GB/2CPU should be way enough to run extremely large workloads, but I had to admit that convenience made me switch.

0 comments

hliyan1y ago

We did upgrades periodically, each time a conscious choice after reviewing the release notes of the dependency. Occasionally a script would need to be updated, but that was it.

j451y ago

What needs to be constant and up to date is reviewing the new patches and which ones can be released and not locked.

The versions that are not locked can be a test or dev environment that constantly updates and checks for errors.

Security threats are a thing, how we do and don't use technologies as well which ones can also factor in to how much is exposed.

Spivak1y ago

A container is locking the whole OS, on this axis it's not an improvement either direction. You still need a way to update deps.

j / k navigate · click thread line to collapse