Hacker News new | past | comments | ask | show | jobs | submit login

So if we were to scan those Linux distributions for the same vulnerabilities found in the Docker images under discussion, we would find no vulnerabilities whatsoever?

Do we have to hit "no vulnerabilities whatsoever", or can we settle for "a lot less" and leave the goalposts alone?

Fair enough. So what’s your answer?

A lot less, mostly because:

- the docker containers are often based on the same distributions

- the distribution keeps received security updates that are often neglected by the docker ecosystem

- the distribution is designed to give maximum control to system engineers: not to install (or remove) any package that is not required

- applications are packaged using dynamic linking and without vendored dependencies as much as possible. Vulnerabilities in dependencies are patched once and for all system-wide

- some distributions do peer review and have a very high entry bar to become a member

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact