Download the image manually with something like curl???
Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 2 days agoDoker pull is insecure
It’s the download that’s not verified
Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 2 days agoDoker pull is insecure
It’s the download that’s not verified
Download the image manually with something like curl???
Hahahahahaha good luck.
partofthevoice@lemmy.zip 2 days ago
You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.
quick_snail@feddit.nl 2 days ago
Yeah, that’s the insecurity I’m talking about.
If you want to know how to implement this properly, look at apt. Its a known issue in docker; they just haven’t prioritized the fix yet ?DCT)
partofthevoice@lemmy.zip 2 days ago
What are you talking about, “yeah that’s the insecurity I’m talking about.”
I didn’t mention an insecurity and neither have you. Would you mind being a little more clear than “Docker pull is insecure?”
Frankly, I was expressing confidence in dockers security. It goes without saying though, any user can do insecure things like download from untrusted sources. That’s not dockers problem though, it’s the users.
quick_snail@feddit.nl 2 days ago
Checksums are not for security. You need signatures. I’m not making claims that aren’t clearly documented.