servers rarely see updates. Maybe it happens in larger firms, but not in smaller shops.
*ouch*
servers rarely see updates. Maybe it happens in larger firms, but not in smaller shops.
*ouch*
adding PPAs or RPM repos, or installing things from source, I’d say that number is a lot higher than 0.
Nothing wrong with that. Unlike docker that’s cryptographically protected toolchain/buildchain/depchain. Thus, a PPA owner is much less likely to get compromised.
Installing things from source in a secure environment is about as safe as you can get, when obtaining the source securely.
Docker contains that nonsense in a way that’s easy to update.
Really? Ist there already a builtin way to update all installed docker containers?
What’s uneasy about apt full-upgrade
?
Package managers don’t provide a sandbox.
I didn’t say that.
average user who doesn’t run updates consistently, may add sketchy dependencies, and doesn’t audit things would be better off with Docker.
That’s false.
but they’re less likely to cause widespread issues since each is in its own sandbox.
Also false. Sandbox evasion is very easy and the next local PE kernel vulnerability only weeks away. Also VM evasion is a thing.
Basically one compromised container giving local execution is enough to pwn your complete host.
in the same way that installing a malware-laden executable isn’t an OS problem
except no one is doing that. Every major distro hast mechanisms for software supply chain security and reproducible builds.
Do your due diligence, especially if you’re not a developer and thus looking at the Dockerfiles is impractical.
You’re on to something here. If you automate that process, you end up with something we call a package manager.
it’s likely blog posts and users that are at fault.
Exactly. And sincer reviewing Dockerfiles is impractical, there’s no way docker prevents you from shooting your own foot. Distros learned that long ago: Insecure default configs or injected dependencies are a thing of the past there. With docker, those get reintroduced.
What you are saying is not new but you don’t seem to grasp the difference in risk when you run someone else’s configured environment on your system vs. manually setting them up yourself. You save a lot of time by using docker images but it comes with a price.
There’s no docker vulnerability
No need to. Like sudo doesn’t need a vulnerability when you let contributors of some repository use it on your box.
Things like snyk exist for a reason but it’s not mitigation, just monitoring.
You should stop telling people that using docker is no security problem because that’s wrong, as it adds attack surface to even the most secure projects. Sure, it saves time but things like OPs news will keep popping up in the future like it did in the past. It can’t be fixed other than just not using it in production. At least build your own containers.
Don’t forget various past issues:
This entirely misses the point of Docker.
It’s just pointing out the risk of letting someone you don’t know with no legal obligations setup your complete environment.
How likely
Probably as likely as someone cracking your really secure ssh password. Still, any sane expert will recommend disabling password auth.
I only pull containers based on some official project.
How do you know they weren’t compromised?
but I don’t see anything here about Docker itself being a problem
The problem is that rootless docker is a pain and no one does it. Privileged software sideloading other software is a huge risk.
That risk now became an incident. Even if you’re not affected, the risk still remains.
always_has_been.jpg
Don’t have prisoners all have the same preconditions?
With degrowth, in theory at least, growing poorer countries could get richer while degrowing richer countries would lose nothing.
I think solar occlusion is the way to go; you could harvest solar power 24/7 and beam it back via microwave;
That’s magnitudes more expensive than stopping fossils right now. Not to mention the impact on ecosystems worldwide.
Are these “generations” in the room with us right now?
otoh you have stuff like FreeCAD or OpenSCAD completely free and usable AND you could modify it as you please.
Back then FOSS CAD was barely usable.
Just use your media corporations
Exactly. It’s easier for smaller NGOs to do political lobbying since they don’t have any media corporations available.
If you take that away, you’re basically left with big actors and social media.
corporations with big pockets have more possibilities to influence than regular people, or even NGOs
I guess nowadays it’s cheaper to target social media and let the voters + traditional media do the lobbying.
It’s true. And christmas trees would be fine if they’d end up in long lasting buildings and wouldn’t need a lot of fertilizer which usually is made from oil.
license is probably the reason they’re doing it. no way around that without infringing copyright law I guess.
you could check how other FOSS do it. e.g. you externally link it as a library and use another license the user has to agree on just for that.
world-renowned, enterprise-level antivirus software running
lol. better just use defender next time.
edit: or not use windows.
What are you trying to prevent? You can’t release anything (opensource or not) without risking someone stealing the idea without patenting.
No FOSS license will prevent that (quite the opposite, it encourages copying/modifications). Those licenses just prevent someone using your code commercially without releasing the source code again.
not sure why you think that. if it’s indistinguishable, it’s still prior art. If it’s something better or different than your code, it’s a new thing.
Patents protect technical principles, not actual sourcecode.
no, the patent office would find your publication, deem it Prior Art and not grant the patent. If it would miss it (some don’t research very well), anyone can notify them to void the patent afterwards anytime.
IANAL, there are lawyers specialized on patents who’ll reassure you for free/cheap (relatively, they are friggin expensive). It also depends on legislature. Countries that break/never agreed to the PCT will do what they please.
articles don’t mention mitigation methods.
what to disable in thunderbird to not be vulnerable to “obfuscated JavaScript file that is sent to the victim through emails in archive files.” and prevent that “The JavaScript file drops a self-copy at “C:\Users\<Username>” location with random names like “needlereportcreepy.bat”. The bat file is then executed”?