So, if I understand correctly: rather than using prebuilt images from Docker Hub or untrusted sources, the recommended approach is to start from a minimal base image of a known OS (like Debian or Ubuntu), and explicitly install required packages via apt within the Dockerfile to ensure provenance and security. Does that make sense?
jagged_circle@feddit.nl 3 months ago
Package managers like apt use cryptography to check signatures in everything they download to make sure they aren’t malicious.
Docket doesn’t do this. They have a system called DCT but its horribly broken (not to mention off by default).
So when you run
docker pull, you can’t trust anything it downloads.Darioirad@lemmy.world 3 months ago
Thank you very much! For the off by default part i can agree, but why it’s horribly broken?
jagged_circle@feddit.nl 3 months ago
PKI.
Apt and most release signing has a root of trust shipped with the OS and the PGP keys are cross signed on keyservers (web of trust).
DCT is just TOFU. They disable it because it gives a false sense of security. Docket is just not safe.
Darioirad@lemmy.world 3 months ago
So, if I understand correctly: rather than using prebuilt images from Docker Hub or untrusted sources, the recommended approach is to start from a minimal base image of a known OS (like Debian or Ubuntu), and explicitly install required packages via apt within the Dockerfile to ensure provenance and security. Does that make sense?