Hacker News new | past | comments | ask | show | jobs | submit login

Thank you for clarification of your point. It really shows perfect example of the Red Hat marketing.

Can you please give a link to the announce from Red Hat or someone else urging their users that they don't need to upgrade? It would be the last thing closing the question.




The blog post being discussed here is the latest example. NOTE: the blog post has since been updated without acknowledging the inaccuracies in the earlier version.


Just for history:

First post saved by archive.org: http://web.archive.org/web/20170114090437/http://rhelblog.re... Latest post: http://web.archive.org/web/20170117054512/http://rhelblog.re...

  $ wdiff -n -3 first latest
  
  ======================================================================
  [-Docker 0-Day Stopped Cold by-] SELinux
  ======================================================================
   SELinux {+Mitigates docker exec Vulnerability+}
  ======================================================================
   Fixed packages [-have been-] {+are being+} prepared and shipped for RHEL
  ======================================================================
   [-Centos.-] {+CentOS.+}
  ======================================================================
  
  
  
  [-Stopping 0-Days with-] SELinux
  ======================================================================
   SELinux {+Reduces Vulnerability+}
  ======================================================================
  
  
  [-How about a more visually enticing demo? Check out this animation:-]
  ======================================================================
   we were glad to see that our customers were [-safe-] {+safer+} if running containers with setenforce 1
  ======================================================================
   {+Even with SELinux in enforcement, select information could be leaked, so it is recommended that users patch to fully remediate the issue.+}
  {++}
  {+This post has been updated to better reflect SELinux’s impact on the Docker exec vulnerability and the changing threat landscape facing Linux containers.+}
  ======================================================================

I'm not sure that first post's version can be considered as recommendation to not upgrade. It just shows how RedHat people was happy to see that bug was prevented by another subsystem. Me, as a sysadmin, would be happy to to know that I'm not obligated to upgrade urgently everything I have. For most sysadmins it can be considered as a workaround, already engaged.

You as a Docker developer see the post as an attack on your project. But most of sysadmins and kernel developers see it as a nice example of the fruits of invisible long work - when well cared system with accurately configured security restrictions saves from some vulnerabilities.

Anyway, it not means underestimation of the Docker and you great job. Sorry you've got stressed by all this noise.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: