cm0002@lemmy.world to Programmer Humor@programming.dev · 2 months agoHow Docker was bornlemmy.mlimagemessage-square40linkfedilinkarrow-up1820arrow-down126cross-posted to: [email protected]
arrow-up1794arrow-down1imageHow Docker was bornlemmy.mlcm0002@lemmy.world to Programmer Humor@programming.dev · 2 months agomessage-square40linkfedilinkcross-posted to: [email protected]
minus-squarekitnaht@lemmy.worldBannedlinkfedilinkarrow-up20arrow-down1·2 months agoThe biggest problem that I have with docker is honestly, the fear of a supply-chain attack.
minus-squareMrPistachios@lemmy.todaylinkfedilinkEnglisharrow-up5·2 months agobut wouldnt that be an issue regardless of docker
minus-squarecorsicanguppylinkfedilinkEnglisharrow-up1·2 months agoEnterprise security folks will back you up on that concern.
minus-squareroofuskit@lemmy.worldlinkfedilinkEnglisharrow-up1·2 months agoEnterprise folks also shouldn’t be pulling updates down to production environments.
minus-squareDrasla@lemmy.studiolinkfedilinkarrow-up1arrow-down1·2 months agoYou mean compromised code sneaking into Docker images? Or a DOS on dockerhub?
minus-squarekitnaht@lemmy.worldBannedlinkfedilinkarrow-up7arrow-down3·2 months agoSupply chain attack has a definition. And it has nothing to do with DDoS.
minus-squareroofuskit@lemmy.worldlinkfedilinkEnglisharrow-up2·2 months agoThey worry about someone replacing the docker image on the hosting server with a malicious modified version for people to pull down during updates.
minus-squarezalgotext@sh.itjust.workslinkfedilinkarrow-up9·2 months agoThis worry exists for literally every 3rd party dependency, not just docker, and is addressed the same way - by running tests and vulnerability scans in a sandboxed test environment before shipping to prod
minus-squareroofuskit@lemmy.worldlinkfedilinkEnglisharrow-up2·2 months agoI was just answering a question. I had the same response above.
minus-squarezalgotext@sh.itjust.workslinkfedilinkarrow-up2·2 months agoAnd I was just adding extra details
The biggest problem that I have with docker is honestly, the fear of a supply-chain attack.
deleted by creator
but wouldnt that be an issue regardless of docker
Enterprise security folks will back you up on that concern.
Enterprise folks also shouldn’t be pulling updates down to production environments.
You mean compromised code sneaking into Docker images? Or a DOS on dockerhub?
Supply chain attack has a definition. And it has nothing to do with DDoS.
deleted by creator
They worry about someone replacing the docker image on the hosting server with a malicious modified version for people to pull down during updates.
This worry exists for literally every 3rd party dependency, not just docker, and is addressed the same way - by running tests and vulnerability scans in a sandboxed test environment before shipping to prod
I was just answering a question. I had the same response above.
And I was just adding extra details