Hacker News new | comments | show | ask | jobs | submit login

It serves as an amazing excuse to re-invent the wheel at your own workplace. It's a hot technology, and if you're not using it, it's because you're inept. Rip all of the stable things out that everyone knew how to use and slap containers in there! If it's not working, it's because your not using enough containers.

No security patching story at your workplace? No problem, containers don't have one either! If someone has shipped a container that embedded a vulnerable library, you better hope you can get a hold of them for a rebuild or you have to pull apart the image yourself. It's the static linking of the 21st century!




I want to downvote the first paragraph but upvote the second one.

Doesn't Docker also help cause problems like ssh private key reuse? I am sure that there are mitigations, but it's sad to have ways to prevent some activity that the software makes easy to do.


>I want to downvote the first paragraph but upvote the second one.

I had the very same feeling. Containers are very useful, but the Docker suite of tools just don't have a very good security story.


They have the same security story as other linux systems.


That's... just not true.


You have an SSL vulnerability, you need to patch the docker image, just like you'd have to patch a linux system.

Now you say something of substance!


Docker hosts pre-built images that have known exploits in them. They also bundle insecure versions of libraries with their software: https://github.com/docker/compose/issues/1601


I think the problem here is that people seem to assume that "application isolation" is synonymous with "security isolation." Your statement is true, the vulnerabilities are the same, but people don't seem to get that there is no "security story" for containers in the first place. That isn't their job.


Isn't one of the claims that if you patch the main OS (without changing the libraries..just patch like you would normally) with a new base image, that with the dockerfile you could re-setup the application in a matter of minutes?


while promising a much better one...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: