• jagged_circle@feddit.nlEnglish
    2·
    11 hours ago

    It downloads things without checking signatures by default. And even if you enable DCT, it TOFUs every key without even asking or checking against a WoT

    Basically, using docker means you could run malicious code (arbitrary code execution) in your container because it doesn’t verify what it downloads.

    • jarfil@beehaw.org
      1·
      4 hours ago

      The bright side is, that you run it in a container. Beware of privileged mode, don’t give it unnecessary mounts or networks, and there’s very little some malicious code can do.

      If you’re using it for a build system, tough luck but you need to manage the keys to avoid TOFU, and ideally pull from your own registry.