Please explain this to me
Comment on What is Docker?
jagged_circle@feddit.nl 1 month ago
Its an extremely fast and insecure way to setup services. Avoid it unless you want to download and execute malicious code.
Darioirad@lemmy.world 1 month ago
jagged_circle@feddit.nl 1 month ago
Package managers like apt use cryptography to check signatures in everything they download to make sure they aren’t malicious.
Docket doesn’t do this. They have a system called DCT but its horribly broken (not to mention off by default).
So when you run
docker pull, you can’t trust anything it downloads.Darioirad@lemmy.world 1 month ago
Thank you very much! For the off by default part i can agree, but why it’s horribly broken?
jagged_circle@feddit.nl 1 month ago
PKI.
Apt and most release signing has a root of trust shipped with the OS and the PGP keys are cross signed on keyservers (web of trust).
DCT is just TOFU. They disable it because it gives a false sense of security. Docket is just not safe.
festus@lemmy.ca 1 month ago
Entirely depends on who’s publishing the image. Many projects publish their own images, in which case you’re running their code regardless.
jagged_circle@feddit.nl 1 month ago
Nope. See DCT. Its a joke.
Use apt.
ianonavy@lemmy.world 1 month ago
You know container image attestations are a thing, right?
jagged_circle@feddit.nl 1 month ago
You know it doesn’t verify any signature on download, right?
ianonavy@lemmy.world 1 month ago
A signature only tells you where something came from, not whether it’s safe. Saying APT is more secure than Docker just because it checks signatures is like saying a mysterious package from a stranger is safer because it includes a signed postcard and matches the delivery company’s database. You still have to trust both the sender and the delivery company. Sure, it’s important to reject signatures you don’t recognize—but the bigger question is: who do you trust?
APT trusts its keyring. Docker pulls over HTTPS with TLS, which already ensures you’re talking to the right registry. If you trust the registry and the image source, that’s often enough. If you don’t, tools like Cosign let you verify signatures. Pulling random images is just as risky as adding sketchy PPAs or running curl | bash—unless, again, you trust the source. I certainly trust Debian and Ubuntu more than Docker the company, but “no signature = insecure” misses the point.
Pointing out supply chain risks is good. But calling Docker “insecure” without nuance shuts down discussion and doesn’t help anyone think more critically about safer practices.
jagged_circle@feddit.nl 1 month ago
Oof, TLS isnt a replacement for signatures. There’s a reason most package managers use release sognstirse. x.509 is broken.
And, yes PGP has a WoT to solve its PKI. That’s why we can trust apt sigs and not docker sigs.