• danA
    4·
    14 hours ago

    How does Docker reduce security?

    • jagged_circle@feddit.nlEnglish
      2·
      8 hours ago

      It downloads things without checking signatures by default. And even if you enable DCT, it TOFUs every key without even asking or checking against a WoT

      Basically, using docker means you could run malicious code (arbitrary code execution) in your container because it doesn’t verify what it downloads.

      • jarfil@beehaw.org
        1·
        1 hour ago

        The bright side is, that you run it in a container. Beware of privileged mode, don’t give it unnecessary mounts or networks, and there’s very little some malicious code can do.

        If you’re using it for a build system, tough luck but you need to manage the keys to avoid TOFU, and ideally pull from your own registry.